Support for multiple Active Directory domains in your Umbrella organization is now enabled by default.
If you have already onboarded multiple AD domains in separate Umbrella organizations, these organizations can be consolidated to a single Umbrella organization with multi-AD domain support. Refer to this article for more details.
Pre-requisites for multi-AD domain support
- User account with logon name OpenDNS_Connector needs to be created in each domain and be compliant with requirements specified here. It is recommended that you keep the same password for this account across AD domains.
- For deployment with Virtual appliances, one AD connector is required for each AD domain in an Umbrella site, with an optional second connector for redundancy if required.
- If your deployment includes only Roaming Clients or AnyConnect, a single multi-domain AD Connector* can sync AD users/groups from multiple domains. This requires the OpenDNS_Connector account to be created with the same password in each domain. This feature is not enabled by default, and you will need to raise a support ticket to get this enabled.
- The AD Connector should be running version 1.2.3 or higher.
- All other pre-requisites specified here are also applicable for multi-AD domain.
Limitations of multi-AD domain support (Virtual Appliance Deployments)
- Cross-domain authentication is not recognized by the AD Connector currently. If an AD user authenticates against a local domain controller belonging to some other AD domain, the AD Connector will not be able to retrieve the AD user-IP mapping for that user. The virtual appliance will not be able to associate a user identity against that IP, and as a result, any AD-based policies will not be enforced for that user. The workaround is to include Domain Controllers from both AD domains in the same Umbrella site as long as the criteria for Umbrella sites (specified here) are not impacted.
- Umbrella policies do not apply to AD groups with Cross-Domain members. To create a policy that applies to users from multiple domains you must add the relevant groups/users from each domain to the policy.
Limitations of multi-AD domain support (Roaming Client deployments)
- Roaming Client / AnyConnect deployments are not affected by cross-domain authentication limitations.
- With the multi-domain AD Connector feature enabled, Umbrella can support AD Groups with Cross-Domain group members. This needs to be explicitly requested by raising a support ticket. The same feature also allows a single Connector to sync AD identities from multiple AD domains.