The OpenDNS Connector runs a sync against Active Directory to return a list of AD users, groups, and computers. This list is then posted securely to the Umbrella Dashboard so they can be used for policies and reporting.
Note: if using version 1.1.24 or higher of the Connector software, it is possible to specify which AD groups will be synced to Umbrella. For complete details about this, please see:
You can check which objects have been synced to the Dashboard by editing your policy in 'Policies > Policy List'. The first step of the policy wizard shows which Identities are available.
Scenario 1 - All users and groups missing from the dashboard
If all users are missing from the Identities tab this indicates that the AD sync has not taken place.
There are a number of potential reasons for this:
- Active Directory integration has not been configured, or the OpenDNS Connector is not installed. See the documentation.
- The OpenDNS connector is unable to contact the Domain Controller on the required ports.
- There is a permissions error that prevents OpenDNS_Connector user from reading the directory via LDAP.
- There is a problem with the OpenDNS_Connector user account (which is used for the sync). The password entered during connector installation could be incorrect or the account may be locked out.
- The OpenDNS connector service is installed but not working. The most common cause is that ldifde.exe (used to perform the AD sync via LDAP) is not installed (most commonly it is included in the AD LDS role), notably when the Connector is installed on a machine other than a Domain Controller. Please view the pre-requisites for non-DC installation.
- The C:\CiscoUmbrellaADGroups.dat file exists, but is empty or has an incorrect format.
For more information, please contact Umbrella support with the Connector logs.
Scenario 2 - Newly created users/groups missing from the dashboard
The Connector frequently syncs with Active Directory to determine if there has been any changes to the directory - again this is done using LDAP. If there has been a recent change a full LDAP sync is then performed. As such it can take several hours for new users/groups to take effect in the Dashboard.
If new users are never appearing it could be due to a couple of problems:
- The OpenDNS_Connector account does not have permission for 'replicating directory changes' which is required for us to monitor changes in AD. Ensure that the OpenDNS_Connector is a member of the 'Enterprise Read-Only Domain Controllers' group to assign the correct permissions.
- The connector was able to sync previously, but is now unable to. See the above steps in this article.
Scenario 3 - Specific AD objects missing from the dashboard
We recommend to create your own AD groups for use within Umbrella policies.
Domain Admins, Domain Users, and a number of other 'default' groups are excluded from the sync. Many well known groups associated with background software (such as Exchange, SQL, and WSUS) are also excluded from the AD sync.
If the C:\CiscoUmbrellaADGroups.dat file exists, verify that it specifies an AD group that includes the missing AD objects.
Scenario 4 - ADSync working but some AD objects are not sync'd
Check that the OpenDNS_Connector user has permission to 'Read' information from the objects that are missing. In Active Directory all objects (including users, groups and computers) have their own ACL permissions to determine who can read their attributes. For more information please check the following article: Permissions Troubleshooting
If the C:\CiscoUmbrellaADGroups.dat file exists, verify that it specifies an AD group that includes the non-synced AD objects.
Scenario 5 - Certain built-in AD groups and roles are not visible in the Umbrella policy wizard
After deploying Umbrella Active Directory integration components, specifically the AD Connector, you find that certain built-in AD groups are not found in the Umbrella policy wizard.
However, non-built-in AD groups, AD users, and AD computers are still found in the Umbrella policy wizard as expected. The AD Connector purposely does not import built-in AD groups to the Umbrella API. As such, it is expected that you will not be able to define policies on these groups. Please refer to the following KB for more details.