Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Active Directory:
Setup Guide for Umbrella
This guide explains how to install and configure the Active Directory Components provisioned and
maintained from the Umbrella dashboard. By integrating with your Active Directory environment and
securely forwarding DNS queries to the OpenDNS Global Network, you can enforce and report on
users, computers and groups.
Table of Contents
Overview .................................................................................................................................... 3!
Prerequisites .............................................................................................................................. 5!
Virtualized Server Environment on VMware or Hyper-V ................................................................. 5!
Active Directory Environment .................................................................................................... 5!
Network Environment ............................................................................................................... 6!
Step 1: Setup DNS Forwarding via Virtual Appliances..................................................................... 7!
Route Local DNS Queries ......................................................................................................... 7!
Step 2: Prepare your Active Directory Environment ......................................................................... 8!
Run the Configuration Script on the Domain Controller ................................................................ 8!
Verify the Domain Controller Reports to the Dashboard ................................................................ 9!
Repeat for Each Domain Controller Server .................................................................................. 9!
Step 3: Connect Active Directory to Umbrella .............................................................................. 10!
Install the Connector .............................................................................................................. 10!
Verify the Connector Syncs with the Dashboard ......................................................................... 10!
Verify all Active Directory Components are Operational .............................................................. 11!
Step 4: Configure Settings in Dashboard ..................................................................................... 12!
Step 5: Route DNS Traffic through the Virtual Appliances ............................................................ 13!
Multiple AD Sites...................................................................................................................... 14!
Appendix A: Prepare a Separate non-Domain Controller to Install the Connector ............................. 15!
Appendix B: Configuring Domain Controllers on Windows Server 2003 and 2003 R2 ...................... 16!
Setting the Manage auditing and security log Group Policy....................................................... 16!
Setting DCOM permissions ..................................................................................................... 17!
Setting WMI permissions ........................................................................................................ 17!
Overview
The Active Directory integration consists of two components that must reside in your network at each
independent AD site:
!NOTE: An Active Directory site in the context of this document means an independent location with its own Domain
Controller server(s), DNS server(s), and connection to the Internet.
1. The Virtual Appliance (VA for short), which
Forwards external DNS queries with non-sensitive metadata to the OpenDNS Global Network
!NOTE: The recommended requirements for installation include a second VA for redundancy (not shown in
the diagram) to ensure uptime during upgrade and high availability.
! IMPORTANT! In order for the Virtual Appliance to properly route local DNS queries and external DNS queries, all clients
that are to be managed by Umbrella need to have their DNS addresses be the addresses of your VAs.
Securely communicates non-sensitive user and computer login info to the Virtual Appliances and
Securely communicates non-sensitive user and computer group info to the OpenDNS Global Network
!NOTE: If your security policy requires it, the Connector can be installed on a different non-Domain
Controller (see Appendix A for details).
This guide explains how to install the components to integrate with Active Directory and verify that
they are working properly before you deploy them.
Prerequisites
To support the Active Directory integration, you must have a Virtual Appliance configured.
Virtualized Server Environment on VMware or Hyper-V
Requirements for VMware:
Your ESXi server host is set to the correct date and time for predictable VA behavior.
Your ESXi server host has at least one CPU core, 512Mb of RAM and 6.5Gb of hard disk drive space available
to be provisioned per Virtual Appliance instance.
We require a minimum of two (2) virtual appliances per site to be deployed for high availability in case of
outage or upgrade to the VA. A "site" refers to a localized contiguous subnet without NAT between the VA
and the network.
Windows Server 2012, Window Server 2012 SP1 or Windows Server 2012 R2 (Standard or Data Center)
with Hyper-V.
Your Windows 2012 server is set to the correct date and time for predictable VA behavior.
In addition to the minimum required hardware to run Windows Server 2012, we recommend:
o An additional 512Mb of RAM for each Virtual Appliance
o Allocation of 7GB of disk space for each Virtual Appliance
o An additional CPU core for each Virtual Appliance. (Note: This may not be necessary if the server
provisioned for Hyper-V is highly spec'd).
We require a minimum of two (2) virtual appliances per site to be deployed for high availability in case of
outage or upgrade to the VA. A "site" refers to a localized contiguous subnet without NAT between the VA
and the network.
Windows Server 2003, 2003 R2, 2008 or 2008 R2, 2012 or 2012 R2 with the latest service packs and
100Mb free hard disk drive space.
! IMPORTANT! Read Only Domain Controllers (RODCs) should not have the script run on them, or have the
Connector installed. RODCs can be present in a domain and will report as Identities, but
should not be used for the Active Directory Integration.
Only a single domain environment (child domains and trusts are not supported at this time). Multi-domain
environments require a multi-dashboard experience. Please contact support@opendns.com with information
regarding your domain structure if you have any questions about whether it is supported. If you would like to
see multi-domain support, please e-mail the Support team to let us know!
! IMPORTANT! When deploying Active Directory Components at more than one WAN-linked (MPLS-type
network) AD site, repeat steps 1-5 after verifying a complete, functioning installation at
current site before moving on to the next.
Make sure the OpenDNS_Connector user is a member of the following groups and if not, please add the
missing ones:
"
"
"
! IMPORTANT! For environments on Windows Server 2003 and Windows Server 2003 R2, several manual
steps are required (see Appendix B for instructions).
Network Environment
The following requirements are for your Network Environment to ensure you can communicate with OpenDNS. These
requirements apply to both VMware and Hyper-V.
Set the following outbound ports to be open from the VAs to the 67.215.92.0/24 subnet and the OpenDNS DNS resolvers:
80 TCP (67.215.92.0/24)
Do not place devices with network address translation (NAT), or that in any manner obfuscates the internal IP
address(es) between the computers and the Virtual Appliance at each site.
Make sure you do not have transparent proxies on your network to avoid issues.
nslookup 192.168.1.2
Server:192.168.1.1
Address:192.168.1.1#53
Non-authoritative answer:
1.168.192.in-addr.arpaname = va01.corp.domain.com.
nslookup va01.corp.domain.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: va01.corp.domain.com
Address: 67.215.92.152
! IMPORTANT! For environments running on Windows Server 2003 or Windows Server 2003 R2, several manual steps
are required before completing step 2 (see Appendix B for instructions).
! IMPORTANT! Do not run this script on any Read Only Domain Controllers (RODCs) in your environment. RODCs are not
supported.
! NOTE: The OpenDNS_Connector user must be created before running the script, as detailed in the
prerequisites. There are also several Group Policies that affect system operation that may need
manual configuration. The script will display the status of these settings and, if needed, provide
instructions on changing them.
!NOTE: The configuration script only runs once; it is not an application or service. If you change the IP address
or hostname of the Domain Controllers, remove the previous instance of the Domain Controller by
clicking the round X icon, and repeat tasks 1-4.
to Active
!NOTE: It can take up to 10 minutes for large numbers of AD user, computer and group objects to
synchronize for the first time.
! IMPORTANT: Clicking on a group will show its members including nested groups, user accounts or computer
accounts. Selecting the group will apply the policy to all its members. You can select only a nested
group, but not an individual user or computer account. As a best practice, centrally manage your
group memberships in Active Directory. Any changes will be synced with Umbrella within a few
minutes.
3. Select the 'Policy Settings', including the Security Settings, Category Settings and Domain Lists for your identity.
4. Click next then select 'Block Page Settings' you would like enforced for this policy. Then click next.
!NOTE: If you have not yet created any non-default settings, go to the 'Policy Settings' or 'Block Page Settings'
pages to do so.
5. Set a meaningful description for the policy, then click save.
!NOTE: The policy you created will be applied within 60-90 seconds to any new connections coming into
Umbrella from the selected computers.
6. Click and hold the drag handle icon
!NOTE: Policy execution follows a top-down, first-match order of operations. The first policy assigned to an
identity is enforced. Any subsequent policies assigned to the same identity are ignored. There is an
editable, but immutable, Default Policy always ordered last, which is a catchall for any identity.
! IMPORTANT: When testing the policy enforcement, some DNS responses may already be cached for several
minutes to days. You may want to flush the DNS cache via both the browser and the OS to
avoid waiting for the cached responses to expire.
2. If possible, a good next step is to change the DNS settings for a specific DHCP server pool or scope in your
organization.
3. Once youve verified correct enforcement of policies with your pilot group of computers, you can either stage
the cut over to using the Virtual Appliances for DNS or cut over the entire organization. The best time to affect
the cut over is typically after users log out for the day.
4. When users log in after the installation is complete, they should begin sending all DNS queries to the one of
the VAs forwarding DNS traffic.
! NOTE: Most stub DNS resolvers, those that reside on endpoint devices, do not have a true primary vs.
secondary DNS server relationship. Stub DNS resolvers behavior on many operating systems are
undocumented in regards to which DNS server they will use at any time.
Multiple AD Sites
A site is a separate physical location or network which does not have a direct, or very fast connection to another node of your network.
Follow the previous steps 1-5 again, and after each sub-step to verify that the component has synced or
reported to the dashboard, assign the component to a site by clicking on its name and selecting an
existing site or creating a new site.
! IMPORTANT: When testing the policy enforcement, some DNS responses may already be cached for several minutes to
days. You may want to flush the DNS cache via both the browser and the OS to avoid waiting for the
cached responses to expire.
ii.
ii.
ii.
3. Join machine to the same domain as the Domain Controller (domain controller) being connected to
4. Open WMI ports via the following command run as Administrator:
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes
5. [Optional] If there is no access to a network file share to retrieve the file locally, download and/or unrestrict
Internet Explorer (http://www.microsoft.com/download/en/details.aspx?id=25150) or install a different browser.
! NOTE: Alternatively, 2008 R2 servers should have GPMC installed and you can apply the following
permissions from this server to be replicated to the 2003 or 2003 R2 server.
2. Open the GPMC (via Start > Administrative Tools), and select a Group Policy that applies to Domain
Controllers.
! NOTE: If you arent sure what policy to change, open a command prompt and type the following command:
"gpresult /scope computer /r". Look for the Applied Group Policy Objects line. Under it will be a list
of policies applied to that Domain Controller. Make note of one that is likely to be applied to all
Domain Controllers (e.g. Default Domain Controllers Policy).
3. Right-click that policy and select Edit to bring up the Group Policy Management Editor.
5. Check "Define these policy settings", click "Add user or group", browse and select the OpenDNS_Connector
user.
6. Run the "gpupdate" command on the Domain Controller to make sure the policy is applied.
Umbrella is brought to
you by OpenDNS.
Trusted by millions around the world.
The easiest way to prevent malware and phishing
attacks, contain botnets, and make your Internet faster
and more reliable.