Active Directory

Active Directory:
Setup Guide for Umbrella

This guide explains how to install and configure the Active Directory Components provisioned and
maintained from the Umbrella dashboard. By integrating with your Active Directory environment and
securely forwarding DNS queries to the OpenDNS Global Network, you can enforce and report on
users, computers and groups.

Table of Contents
Overview .................................................................................................................................... 3!
Prerequisites .............................................................................................................................. 5!
Virtualized Server Environment on VMware or Hyper-V ................................................................. 5!
Active Directory Environment .................................................................................................... 5!
Network Environment ............................................................................................................... 6!
Step 1: Setup DNS Forwarding via Virtual Appliances..................................................................... 7!
Route Local DNS Queries ......................................................................................................... 7!
Step 2: Prepare your Active Directory Environment ......................................................................... 8!
Run the Configuration Script on the Domain Controller ................................................................ 8!
Verify the Domain Controller Reports to the Dashboard ................................................................ 9!
Repeat for Each Domain Controller Server .................................................................................. 9!
Step 3: Connect Active Directory to Umbrella .............................................................................. 10!
Install the Connector .............................................................................................................. 10!
Verify the Connector Syncs with the Dashboard ......................................................................... 10!
Verify all Active Directory Components are Operational .............................................................. 11!
Step 4: Configure Settings in Dashboard ..................................................................................... 12!
Step 5: Route DNS Traffic through the Virtual Appliances ............................................................ 13!
Multiple AD Sites...................................................................................................................... 14!
Appendix A: Prepare a Separate non-Domain Controller to Install the Connector ............................. 15!
Appendix B: Configuring Domain Controllers on Windows Server 2003 and 2003 R2 ...................... 16!
Setting the Manage auditing and security log Group Policy....................................................... 16!
Setting DCOM permissions ..................................................................................................... 17!
Setting WMI permissions ........................................................................................................ 17!

Active Directory Setup Guide for Umbrella: Page 2

Overview
The Active Directory integration consists of two components that must reside in your network at each
independent AD site:
!NOTE: An Active Directory site in the context of this document means an independent location with its own Domain
Controller server(s), DNS server(s), and connection to the Internet.
1. The Virtual Appliance (VA for short), which

Runs in a virtualized server environment,

Forwards local DNS queries to your existing DNS servers and

Forwards external DNS queries with non-sensitive metadata to the OpenDNS Global Network

!NOTE: The recommended requirements for installation include a second VA for redundancy (not shown in
the diagram) to ensure uptime during upgrade and high availability.

! IMPORTANT! In order for the Virtual Appliance to properly route local DNS queries and external DNS queries, all clients
that are to be managed by Umbrella need to have their DNS addresses be the addresses of your VAs.

2. The Connector, which

Runs in your Active Directory environment,

Securely communicates non-sensitive user and computer login info to the Virtual Appliances and

Securely communicates non-sensitive user and computer group info to the OpenDNS Global Network

!NOTE: If your security policy requires it, the Connector can be installed on a different non-Domain
Controller (see Appendix A for details).

Active Directory Setup Guide for Umbrella: Page 3

This guide explains how to install the components to integrate with Active Directory and verify that
they are working properly before you deploy them.

Active Directory Setup Guide for Umbrella: Page 4

Prerequisites
To support the Active Directory integration, you must have a Virtual Appliance configured.
Virtualized Server Environment on VMware or Hyper-V
Requirements for VMware:

VMware ESXi 4.1 update 2 or newer to create the Virtual Appliances.

Your ESXi server host is set to the correct date and time for predictable VA behavior.

Your ESXi server host has at least one CPU core, 512Mb of RAM and 6.5Gb of hard disk drive space available
to be provisioned per Virtual Appliance instance.

We require a minimum of two (2) virtual appliances per site to be deployed for high availability in case of
outage or upgrade to the VA. A "site" refers to a localized contiguous subnet without NAT between the VA
and the network.

Requirements for Hyper-V:

Windows Server 2012, Window Server 2012 SP1 or Windows Server 2012 R2 (Standard or Data Center)
with Hyper-V.

Your Windows 2012 server is set to the correct date and time for predictable VA behavior.
In addition to the minimum required hardware to run Windows Server 2012, we recommend:
o An additional 512Mb of RAM for each Virtual Appliance
o Allocation of 7GB of disk space for each Virtual Appliance
o An additional CPU core for each Virtual Appliance. (Note: This may not be necessary if the server
provisioned for Hyper-V is highly spec'd).

We require a minimum of two (2) virtual appliances per site to be deployed for high availability in case of
outage or upgrade to the VA. A "site" refers to a localized contiguous subnet without NAT between the VA
and the network.

Active Directory Environment

Windows Server 2003, 2003 R2, 2008 or 2008 R2, 2012 or 2012 R2 with the latest service packs and
100Mb free hard disk drive space.

! IMPORTANT! Read Only Domain Controllers (RODCs) should not have the script run on them, or have the
Connector installed. RODCs can be present in a domain and will report as Identities, but
should not be used for the Active Directory Integration.

Only a single domain environment (child domains and trusts are not supported at this time). Multi-domain
environments require a multi-dashboard experience. Please contact support@opendns.com with information
regarding your domain structure if you have any questions about whether it is supported. If you would like to
see multi-domain support, please e-mail the Support team to let us know!

! IMPORTANT! When deploying Active Directory Components at more than one WAN-linked (MPLS-type
network) AD site, repeat steps 1-5 after verifying a complete, functioning installation at
current site before moving on to the next.

A new user account must be created with the following information:

Active Directory Setup Guide for Umbrella: Page 5

The logon name (aka. sAMAccountName) set to OpenDNS_Connector.

The box Password never expires checked.

A password entered without backslash or quotation characters.

Make sure the OpenDNS_Connector user is a member of the following groups and if not, please add the
missing ones:
"

Event Log Readers

"

Distributed COM users

"

Enterprise Read-only Domain Controllers

! IMPORTANT! For environments on Windows Server 2003 and Windows Server 2003 R2, several manual
steps are required (see Appendix B for instructions).

Network Environment
The following requirements are for your Network Environment to ensure you can communicate with OpenDNS. These
requirements apply to both VMware and Hyper-V.
Set the following outbound ports to be open from the VAs to the 67.215.92.0/24 subnet and the OpenDNS DNS resolvers:

53 TCP & UDP (208.67.220.220 and 208.67.222.222)

443 TCP & UDP (67.215.92.0/24)

80 TCP (67.215.92.0/24)

2222 TCP (67.215.92.0/24)

Do not place devices with network address translation (NAT), or that in any manner obfuscates the internal IP
address(es) between the computers and the Virtual Appliance at each site.

Make sure you do not have transparent proxies on your network to avoid issues.

Active Directory Setup Guide for Umbrella: Page 6

Step 1: Setup DNS Forwarding via Virtual Appliances

The purpose of Virtual Appliances is to map internal source IP addresses to AD users and computers then forward external
DNS queries from your network to the OpenDNS Global Network data centers. Local DNS queries are forwarded to your
internal DNS servers.
To create Virtual Appliances, follow the steps outlined in the Virtual Appliance Setup Guide for Umbrella guide.
An important step that is worth re-iterating here is the routing of the local DNS queries for your network when configuring
the Virtual Appliances, as often the existing DNS servers may also be part of your Active Directory resources (a domain
controller)

Route Local DNS Queries

To ensure correct DNS responses to local hosts inside your internal network, you will want to configure your VAs to
route queries to your existing DNS servers.
To add internal DNS zones:
1. From the VMware console, select Edit.
2. Use Tab until you have highlighted the Add domain option.
3. Add your internal zone(s) (e.g. example.com).
4. Add your reverse zone(s) (e.g. if your network is 192.168.1.0/24 you should add: 1.168.192.in-addr.arpa).
5. Select Save and hit Enter.
To add A & PTR records for your VAs
1. On your local DNS server, click Start, Run and type dnsmgmt.msc
2. Navigate to your forward lookup zones for your local domain (e.g. corp.domain.com).
3. Select the local zone (e.g. corp.domain.com).
4. On the right hand side right-click, select New Host.
5. Enter a hostname for the VA, an IP and make sure the box Create associated pointer (PTR) record is checked.
6. Click Add Host.
To verify if the records were created correctly, you can test with nslookup:
1. Enter: nslookup (IP ADDRESS of the VA). For example:
#

nslookup 192.168.1.2
Server:192.168.1.1
Address:192.168.1.1#53
Non-authoritative answer:
1.168.192.in-addr.arpaname = va01.corp.domain.com.

2. Enter: nslookup (HOSTNAME of the VA). For example:

#

nslookup va01.corp.domain.com
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: va01.corp.domain.com
Address: 67.215.92.152

Active Directory Setup Guide for Umbrella: Page 7

Step 2: Prepare your Active Directory Environment

Running the Windows Configuration script on at least 1 of the Domain Controllers (DCs) at each Site prepares them to
communicate with the Connector, which will be installed in Step 3.

! IMPORTANT! For environments running on Windows Server 2003 or Windows Server 2003 R2, several manual steps
are required before completing step 2 (see Appendix B for instructions).
! IMPORTANT! Do not run this script on any Read Only Domain Controllers (RODCs) in your environment. RODCs are not
supported.

Run the Configuration Script on the Domain Controller

1. From the 'Active Directory Configuration' page, click download components and then 'Windows Configuration'.
2. Download the file and save it to a location on the machine you plan to run it on.
!NOTE: The configuration script is written in Visual Basic Script and is human readable. For reference, it
automates the instructions youll find in Appendix B, plus more. Contact support for more details.
3. As Admin, open an elevated command prompt.
4. Enter: cscript <filename> where <filename> is the name of the configuration script you downloaded in Step 2.
The script will display your current configuration, then offer to auto-configure the Domain Controller for
operation. If the auto-configure steps are successful, the script will register the Domain Controller with the
Umbrella dashboard.

! NOTE: The OpenDNS_Connector user must be created before running the script, as detailed in the
prerequisites. There are also several Group Policies that affect system operation that may need
manual configuration. The script will display the status of these settings and, if needed, provide
instructions on changing them.

Active Directory Setup Guide for Umbrella: Page 8

Verify the Domain Controller Reports to the Dashboard

When you return to the Dashboard, you will see the hostname of the Domain Controller you just ran the script on in
the Inactive state

on the 'Active Directory Configuration' page.

!NOTE: The configuration script only runs once; it is not an application or service. If you change the IP address
or hostname of the Domain Controllers, remove the previous instance of the Domain Controller by
clicking the round X icon, and repeat tasks 1-4.

Repeat for other Domain Controller Servers

Repeat the above steps to prepare additional Domain Controllers in your single domain environment to successfully
communicate with the Connector. Its a good idea to have another Connector for the purposes of High Availability
in case of downtime associated with patching or upgrades.

Active Directory Setup Guide for Umbrella: Page 9

Step 3: Connect Active Directory to Umbrella

The purpose of the Connector is to monitor one or more Domain Controllers. It listens to user and computer logins via the
security event logs, and subsequently enables IP-to-user and IP-to-computer mappings on the Virtual Appliances. It
synchronizes user-to-group, computer-to-group and group-to-group memberships within Umbrella, enabling you to create
and enforce group-based settings and view user, computer and group-based reports.
The connector helps import your Active Directory Users, Groups and Computers to provide these mappings. Other Active
Directory objects, including Organization Units (OUs) are not imported.
!NOTE: You only need to install one Connector per site, but you may install more than one. If your security policy does
not allow you to install software directly on your Domain Controller you can install it on a separate Windows
machine (see Appendix A), otherwise it is recommended to install the Connector on one or more of your Domain
Controllers.

Install the Connector

1. From the Active Directory Configuration page, click download components and then 'Windows Service'.
! IMPORTANT! You must download the zip file to the local machine where you plan to run it or copy it locally
from another machine. Issues have been observed attempting to install the connector from
networked drives.
2. As Admin, select the zip file and extract the setup.msi file.
3. Run setup.msi.
4. Enter the password you configured for the OpenDNS_Connector user you created. (see Prerequisites)
5. Follow the setup wizard prompts.
6. When finished, click Close.
7. Return to the Dashboard.

Verify the Connector Syncs with the Dashboard

1. When you return to the Dashboard, you will see the hostname of the Domain Controller or other Windows
machine that you installed the Connector on the 'System Settings > Sites & Active Directory' page.
2. Umbrella automatically configures and connects the VAs to the Domain Controllers via the Connectors for each
configured site, and the status of all of your VAs, Domain Controllers, and Connectors should change from
Inactive

to Active

. If not, contact support.

3. Navigate to 'Configuration > Policies'.

i. The Domain Controllers should automatically synchronize user and computer group memberships, and
any subsequent changes, with Umbrella via the Connector. You can verify that this has occurred
successfully by clicking 'add a new policy' and confirming that your groups are present.
ii. As such, you should see all of your AD Groups, included those nested within other groups, within the
identity picker of the policy wizard.
iii. If you dont see your groups, check the 'System Settings > Sites & Active Directory' page to see if the
status of all components is Active

. If not, contact support@opendns.com.

!NOTE: It can take up to 10 minutes for large numbers of AD user, computer and group objects to
synchronize for the first time.

Active Directory Setup Guide for Umbrella: Page 10

Verify all Active Directory Components are Operational

1. Before you deploy your Umbrella configuration, confirm that you can resolve DNS traffic by entering the
following command that sends a query to opendns.com through your VA:
C:\>nslookup
> server {{enter the IP of one of your VA's}}
> opendns.com
2. You can further verify DNS traffic by entering the following command to send a TXT Record query to
debug.opendns.com through the VA:
> set type=TXT
> debug.opendns.com
> exit
This query returns a string of information if you are going through the VA. If you receive a non-existent domain
result from that query, there is still something wrong with your configuration and you should contact support.

Active Directory Setup Guide for Umbrella: Page 11

Step 4: Configure Settings in Dashboard

Once verifying that all Active Directory components were integrated successfully, define and apply security and acceptable
use policies to AD Groups.
1. Navigate to Configuration > Policies, and click add a new policy or click the name of an existing policy.
2. Check the AD Groups box if you want to apply a single policy for all AD users and/or computers, or check the box
next to one or more specific groups via the identity picker. To remove a selected group, either uncheck its box via
the identity picker or click the red X icon to the right of its name. Then click next.

! IMPORTANT: Clicking on a group will show its members including nested groups, user accounts or computer
accounts. Selecting the group will apply the policy to all its members. You can select only a nested
group, but not an individual user or computer account. As a best practice, centrally manage your
group memberships in Active Directory. Any changes will be synced with Umbrella within a few
minutes.
3. Select the 'Policy Settings', including the Security Settings, Category Settings and Domain Lists for your identity.
4. Click next then select 'Block Page Settings' you would like enforced for this policy. Then click next.
!NOTE: If you have not yet created any non-default settings, go to the 'Policy Settings' or 'Block Page Settings'
pages to do so.
5. Set a meaningful description for the policy, then click save.
!NOTE: The policy you created will be applied within 60-90 seconds to any new connections coming into
Umbrella from the selected computers.
6. Click and hold the drag handle icon

to re-order the policy above or below any other existing policies.

!NOTE: Policy execution follows a top-down, first-match order of operations. The first policy assigned to an
identity is enforced. Any subsequent policies assigned to the same identity are ignored. There is an
editable, but immutable, Default Policy always ordered last, which is a catchall for any identity.

Active Directory Setup Guide for Umbrella: Page 12

Step 5: Route DNS Traffic through the Virtual Appliances

In order for you to begin enforcing your settings, all DNS traffic from the clients on your network should be routed through
your Virtual Appliances.
1. First, start by testing on a few devices by manually configuring their DNS settings to use the Virtual
Appliances. Try different operating systems or hardware types to ensure compatibility with all your devices.

! IMPORTANT: When testing the policy enforcement, some DNS responses may already be cached for several
minutes to days. You may want to flush the DNS cache via both the browser and the OS to
avoid waiting for the cached responses to expire.
2. If possible, a good next step is to change the DNS settings for a specific DHCP server pool or scope in your
organization.
3. Once youve verified correct enforcement of policies with your pilot group of computers, you can either stage
the cut over to using the Virtual Appliances for DNS or cut over the entire organization. The best time to affect
the cut over is typically after users log out for the day.
4. When users log in after the installation is complete, they should begin sending all DNS queries to the one of
the VAs forwarding DNS traffic.

! NOTE: Most stub DNS resolvers, those that reside on endpoint devices, do not have a true primary vs.
secondary DNS server relationship. Stub DNS resolvers behavior on many operating systems are
undocumented in regards to which DNS server they will use at any time.

Active Directory Setup Guide for Umbrella: Page 13

Multiple AD Sites
A site is a separate physical location or network which does not have a direct, or very fast connection to another node of your network.

Follow the previous steps 1-5 again, and after each sub-step to verify that the component has synced or
reported to the dashboard, assign the component to a site by clicking on its name and selecting an
existing site or creating a new site.

You may also rename the default or any existing sites.

! IMPORTANT: When testing the policy enforcement, some DNS responses may already be cached for several minutes to
days. You may want to flush the DNS cache via both the browser and the OS to avoid waiting for the
cached responses to expire.

Active Directory Setup Guide for Umbrella: Page 14

Appendix A: Prepare a Separate non-Domain Controller to Install the Connector

If your security policy requires it, the Connector can be installed on a non-Domain Controller machine, but it must be
joined to the same domain as the Domain Controllers that the Connector will be monitoring.

1. Provision a virtual or physical machine using a static IP.

2. Install one of the three supported Windows OS and other components below.
a) Windows Server 2008 R2 SP1 (Preferred)
i.

Install AD Domain Services Snap-ins and Command-line Tools feature via

Remote Server Administration Tools >
Role Administration Tools >
AD DS & AD Lightweight Directory Services Tools >
AD DS Tools

ii.

Install .NET v3.5

b) Windows Server 2008 SP2

i.

Install Active Directory Lightweight Directory Services role

ii.

Install .NET v3.5

c) Windows 7 (non-home license)

i.

Install Remote Support Administration Tools download available from http://go.microsoft.com/fwlink/?LinkID=137379

ii.

Install .NET v3.5

3. Join machine to the same domain as the Domain Controller (domain controller) being connected to
4. Open WMI ports via the following command run as Administrator:
netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes
5. [Optional] If there is no access to a network file share to retrieve the file locally, download and/or unrestrict
Internet Explorer (http://www.microsoft.com/download/en/details.aspx?id=25150) or install a different browser.

Active Directory Setup Guide for Umbrella: Page 15

Appendix B: Configuring Domain Controllers on Windows Server 2003 and 2003 R2

Setting the Manage auditing and security log Group Policy
! NOTE: Adding the OpenDNS_Connector user to this group policy for all Domain Controllers is also required in certain
Windows Server 2008 configurations.
1. By default, Windows Server 2003 does not come with the Group Policy Management Console (GPMC) and it
may be downloaded here: http://www.microsoft.com/en-us/download/details.aspx?id=21895.

! NOTE: Alternatively, 2008 R2 servers should have GPMC installed and you can apply the following
permissions from this server to be replicated to the 2003 or 2003 R2 server.
2. Open the GPMC (via Start > Administrative Tools), and select a Group Policy that applies to Domain
Controllers.

! NOTE: If you arent sure what policy to change, open a command prompt and type the following command:
"gpresult /scope computer /r". Look for the Applied Group Policy Objects line. Under it will be a list
of policies applied to that Domain Controller. Make note of one that is likely to be applied to all
Domain Controllers (e.g. Default Domain Controllers Policy).
3. Right-click that policy and select Edit to bring up the Group Policy Management Editor.

4. Browse to the Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights

Assignment folder and select Manage audit and security log to view its properties.

Active Directory Setup Guide for Umbrella: Page 16

5. Check "Define these policy settings", click "Add user or group", browse and select the OpenDNS_Connector
user.
6. Run the "gpupdate" command on the Domain Controller to make sure the policy is applied.

Setting DCOM permissions

1. From a command line run dcomcnfg.
2. Console Root > Component Services > Computers.
3. Right-click on My Computer and select Properties.
4. From My Computer Properties select COM Security tab.
5. In Launch and Activation Permissions area click Edit Limits.
6. Add OpenDNS_Connector user and allow Remote Launch and Remote Activation permissions.

7. Click OK to confirm and close My Computer Properties.

Setting WMI permissions

1. Run wmimgmt.msc (Windows Management Infrastructure Control console).
2. Right-click on WMI Control. Click Properties > Security tab.
3. Select Root > CIMV2 namespace and click the Security button.
4. Add the OpenDNS_Connector user and Allow the following permissions: Enable Account, Remote Enable
and Read Security.
5. Click OK to exit each dialog window, then click Save to apply changes.

Active Directory Setup Guide for Umbrella: Page 17

Umbrella is brought to
you by OpenDNS.
Trusted by millions around the world.
The easiest way to prevent malware and phishing
attacks, contain botnets, and make your Internet faster
and more reliable.

OpenDNS, Inc. www.umbrella.com 1.877.811.2367

Copyright 2012 OpenDNS, Inc. All rights reserved worldwide. No part of this document may be reproduced by
any means nor translated to any electronic medium without the written consent of OpenDNS, Inc. Information
contained in this document is believed to be accurate and reliable, however, OpenDNS, Inc. assumes no
responsibility for its use.