To enable support for multiple Active Directory domains in your Umbrella organization, please raise a support ticket with Umbrella.
If you have already onboarded multiple AD domains in separate Umbrella organizations, Umbrella can now assist with consolidating these organizations to a single Umbrella organization with multi-AD domain support. Refer to this article for more details.
Pre-requisites for multi-AD domain support
- User account with logon name OpenDNS_Connector needs to be created in each domain and be compliant with requirements specified here. It is recommended that you keep the same password for this account across AD domains.
- One AD connector is required for each AD domain in an Umbrella site, with an optional second connector for redundancy if required.
- The AD Connector should be running version 1.2.3 or higher.
- All other pre-requisites specified here are also applicable for multi-AD domain.
Limitations of multi-AD domain support
- AD groups with members belonging to other AD domains are currently not supported. An Umbrella policy defined on such an AD group will only be enforced on members belonging to the same AD domain as that group. A workaround here is to explicitly define the policy by the relevant AD users as well.
- Cross-domain authentication is not recognized by the AD Connector currently. If an AD user authenticates against a local domain controller belonging to some other AD domain, the AD Connector will not be able to retrieve the AD user-IP mapping for that user. The virtual appliance will not be able to associate a user identity against that IP, and as a result, any AD-based policies will not be enforced for that user. The workaround is to include Domain Controllers from both AD domains in the same Umbrella site as long as the criteria for Umbrella sites (specified here) are not impacted.