Whether your organization has recently merged, expanded, or simply changed names, sometimes you need to change your domain name. If you are using Umbrella’s AD Integration, it is important to make sure you update your deployment with your new domain to prevent incorrect policy application, AD User identification, or errors in your AD components.
Why do I need to this?
Since Umbrella’s AD integration is only supported for one domain, it’s not possible to overlap the domains. In order to minimize the impact to your end users, we recommend migrating the domains for your Umbrella Components around the same time you cut over to your new domain.
If you are adding a second domain to your environment permanently, and would like to have both domains, and the attached AD Users, integrated with Umbrella, you will need to use our MultiOrg Console. Please reach out to your Account Manager or Support for more information.
What steps do I need to take for each of the AD components?
- Since the VAs are DNS forwarders, they are in no way tied to your domain and do not need to be redeployed. With that being said, it can be easier to redeploy the VAs if you are also deploying new Local DNS resolvers.
- These will need to be deleted from the Dashboard and returned to their original state. Please see here for more details on how to do this:
- After removing them from the Dashboard, you'll need to grab a new copy of the Windows Configuration script from your Dashboard, and register the DCs after your new domain operational.
- This too needs to be uninstalled and redeployed. Full instructions on the removal are available at the link above.
- Once the AD connector has been fully uninstalled and deleted from the Dashboard, please grab a new installation file and reinstall the AD Connector. For a full guide on how to deploy the AD Connector, and the prerequisites, please see here:
Once all these steps are completed, Umbrella Support will need to delete your old AD Tree. Please raise a ticket with firstname.lastname@example.org to have this done. In order to minimize the delay between your redeployment with your new domain and your new AD Tree syncing to the Dashboard, please contact Support before getting started.
If you are using the Identity Support for the Roaming Client or AnyConnect Roaming Security Module, you will still need to redeploy the AD Connector and Domain Controllers. After the AD tree is deleted, the Roaming Clients and AnyConnect Roaming Security Module will fall back on any Roaming Computer specific policies, and will report their hostname (or display name if different in the Dashboard).
How will I know that it’s working?
- All the AD Components in your Dashboard are green;
- You see AD User identities in your activity search;
- AD Users are getting the correct policies
Since this requires the AD Connector to be reinstalled, and the old AD Tree to be deleted, it can take around 4 hours for all your AD Users and groups to sync with the Dashboard. If after 4 hours, there are no AD Users in your Dashboard, check if there are any errors with any of the components, and reach out to Support (email@example.com) with your AD Connector Audit Logs.