Back to Table of Contents | Previous section: Step 1: Setup DNS Forwarding via Virtual Appliances
Overview
Note:
If you do not already have a Virtual Appliance (VA) deployed, return to Step 1 before continuing. AD integration is not possible without a VA.
To get started, run the Windows Configuration script on all of the Domain Controllers (DCs) at each Site (on the domain, excluding Read Only DCs and DCs on other domains) which prepares them to communicate with the Connector. For information on what changes are made by the script, please read this article: Required permissions for the OpenDNS_Connector user
WARNING: Do not run this script on any Read-Only Domain Controllers (RODCs) in your environment. RODCs are not supported.
Note: For environments running on Windows Server 2003 R2, several manual steps are required before completing step 2 (see Appendix B for instructions).
Running the Configuration Script on the Domain Controllers
- From the Umbrella dashboard, navigate to Settings > Sites and Active Directory.
- Click Download Components to expand the section, then download the Windows Configuration script.
- Download the file and save it to a location on the machine you plan to run it on.
Note:
The configuration script is written in Visual Basic Script and is human readable. For reference, it automates the instructions you’ll find in Appendix B, plus more. Contact umbrella-support@cisco.com for more details.
- As Admin, open an elevated command prompt.
- From the command prompt, enter: cscript <filename> where <filename> is the name of the configuration script you downloaded in Step 2. The script will display your current configuration, then offer to auto-configure the Domain Controller for operation. If the auto-configure steps are successful, the script will register the Domain Controller with the Umbrella dashboard.
Note:
The OpenDNS_Connector user must be created before running the script, as detailed in the prerequisites. There are also several Group Policies that affect system operation that may need manual configuration. The script will display the status of these settings and, if needed, provide instructions on changing them.
Note:
If you are receiving the error message "Please verify that the Domain Controller can access the OpenDNS API(67.215.92.210) at port 443!" and port 443 is confirmed to be open to api.opendns.com, crl3.digicert.com, and crl4.digicert.com, the DC may be missing the DigiCert CA. To confirm, visit https://api.opendns.com/v2/OnPrem.Asset in the browser and if a certificate error is presented, download and install the latest DigiCert CA from DigiCert here and re-run the configuration script.
Verify the AD Server Reports to the Dashboard
When you return to the dashboard, you will see the hostname of the AD Server you just ran the script on in the Inactive state 
on the Sites and Active Directory page.
WARNING: The configuration script only runs once; it is not an application or service. If you change the IP address or hostname of the Domain Controller, remove the previous instance of the Domain Controller by clicking the round X icon to delete it from the Umbrella dashboard. Then repeat tasks 1-4 above in order to re-register the Domain Controller.
Repeat for All Domain Controllers
Repeat the above steps to prepare additional Domain Controllers in your single domain environment to successfully communicate with the Connector. In order for the service to work as expected, both for high availability and overall reliability, it's essential that each Domain Controller within the single domain environment have the configuration script run on it.
Comments
0 comments
Article is closed for comments.