Connect Microsoft Active Directory

In this article, we outline the steps to connect Microsoft Active Directory (Microsoft AD) to Cloud Control Center.

  1. Create a new GPO (applicable to all DCs) or edit the default Domain Controller GPO as follows
    page2image1237367120
  2. (Under Advanced Audit Policy Configuration/Account Management) is enabled for "Audit User Account Management", "Audit Computer Account Management" and "Audit Security Group Management
    page3image1236487664
  3. (Under Advanced Audit Policy Configuration/Account Logon) is enabled for "Kerberos Service Ticket Operations"
    page4image1223181856
  4. Under Advanced Audit Policy Configuration/DS Access) is enabled for "Audit Directory Service Changes"
    page5image1235387712
  5. Under Advanced Audit Policy Configuration/Logon-Logoff) is enabled for "Audit Account Lockout", "Audit Group Membership" and "Audit Logon"
    page6image1235323056
  6. All Domain Controllers should enable the predefined Inbound Rule "Remote Event Log Management (RPC)". Look for the Green tick mark against the Rule. If it is already green, nothing to be done. Shows Enabled State of the Rule (green tick mark against the Rule)
    page7image1224030688
  7. Shows Disabled state of the Rule (No green tick mark against the rule)
    page7image1224206912
  8. Open ADSI Edit to Enable Event generation for User Additions/Deletions, Group Additions, Deletions, etc.
    Right-click Users and select [Properties] to edit the properties. Select [Security] Tab, Select Everyone, and Click on [Advanced]
    page8image299674112
  9. Chose the [Auditing] Tab, Edit Audit settings associated to "Everyone”
    Enable **ALL** Checkboxes EXCEPT the four as seen below. This will enable AD Object changes to be audited and events will be generated for any User Attribute changes.
    After completing the above at the command prompt execute “gpupdate/force”. This will update all the policy changes without needing any reboots.
    page9image1238658864
  10. In Cloud Control Center, select Connectors and select +IDP/Connectors in the top right corner of the window. 
  11. Click on the Download in the Active Directory Connector card.
    page11image1233731792
    page11image1233732160
  12. Click on the Download for Windows.
    page12image1235198480
  13. Save the file to your local laptop/desktop or the machine where the connector will be run Click on the [Click here to view configuration information] to see the Gateway Server URL and the Credentials that will be needed during Connector installation.
    page13image295496896
  14. Copy and save both the Gateway Server URL and Gateway Credential in a file for later users. You can click the Copy icon to save the Credential to Clipboard. You will need this while installing the downloaded software on the computer that will run the Elisity AD Connector.
    page14image1234165072
  15. Copy the ElisityADConnectorInstaller.zip file into a TMP directory in the target machine (Windows10orWindows2016/2019Server)thatwillhosttheElisity AD Connector Service. Note that, this machine should be a member of the Root AD Domain. Double click on the zip file after copying into the target machine. You will see a setup.exe file and ElisityADConnectorInsaller.msi file (as seen below).
    page14image1234165440
  16. Click on the Setup.exe file to execute the Elisity AD Connector installer and Click [Next] in the installer window.
    page15image1234876080 
  17. You choose a directory to install the Connector or use the provided default. Leave other options as default and click [Next].
    page15image1234876448
  18. The Connector s/w will be copied into the target directory and is ready for installing the Connector as a Windows Service. Click [Next]
    page16image1236535056
  19. The Connector is configured as a Windows Service as LocalService and will need further Configurations (via another tabbed window “Elisity AD Connector Config App”). At this point, you can click on [Close] to dispose of the installer window.
    page17image1234951632
  20. In the “Elisity AD Connector Config App” window, please enter the [Gateway Server Address] and [Gateway Credential] that was saved earlier, click Register Software, and click OK.
    page18image1223286160
    page18image1223286528
  21. Click on [Eada Service] tab to configure Service user id and Service Password.
    The user should be a member of the Event-Log-Readers group. The user-id should be entered in the DOMAIN\userID format. Click on [Save Service Config] after providing the service configuration. At this point the Config App will configure the Connector Service to run as the user you have provided. Service is not started yet. The status of the service will be in a “Stopped” state.
    page19image1224441120 page19image1224441488
    page19image1224246768
  22. Enable full access to the service-user for the installed directory (default C:\Program Files\Elisity Inc ).
  23. Provide the list of DC hostnames (FQDN e.g. dc1.company.com)as comma seperated value in the property file EuaConfGlobal.json. Example: "DCHostsEV": "ad1.acme.com,ad2.acme.com,ad3.acme.com"
  24. Provide the IP address of a DC that we can make LDAP queries to do a full sync. This DC should be a performant server to pull all the data. This also goes into the ElisityConfGloba.json. Example:"DCHostGC": "10.0.0.121".
  25. DC Firewall configuration (for every DC we intend to collect the audit log events) - The DCs should enable the rule "Remote Event Log Management (RPC)" or Create a new Rule that opens TCP Local ports (Dynamic Ports) "49152–65535" for the IP address of the device running the Elisity AD Connector (Agent).
  26. NOTE: *** Full-Sync of AD Database with Elisity CCC needs to be triggered only once. If you have multiple Elisity Connectors, it is sufficient to do this on only one Connector instance.
  27. To initiate the first full-sync of AD databse with Elisity CCC, you can click on [Resync]ifyouwanttosyncalltheADUserstoElisity ControlPlane. You can also trigger the Sync from Elisity Cloud Control Centeraswell.It will take a few minutes to pull
    all the users.
    After the Sync is complete, the Connector Windows Service will be started automatically.
  28. The Status will show as “running”, if the workflow completed successfully.
  29. You can see the status of the Connector in the Elisity Cloud Control Center UI.