In this article, we outline the steps to connect Microsoft Active Directory (Microsoft AD) to Cloud Control Center.
Create a new GPO (applicable to all DCs) or edit the default Domain Controller GPO as follows
(Under Advanced Audit Policy Configuration/Account Management) is enabled for "Audit User Account Management", "Audit Computer Account Management" and "Audit Security Group Management
(Under Advanced Audit Policy Configuration/Account Logon) is enabled for "Kerberos Service Ticket Operations"
Under Advanced Audit Policy Configuration/DS Access) is enabled for "Audit Directory Service Changes"
Under Advanced Audit Policy Configuration/Logon-Logoff) is enabled for "Audit Account Lockout", "Audit Group Membership" and "Audit Logon"
All Domain Controllers should enable the predefined Inbound Rule "Remote Event Log Management (RPC)". Look for the Green tick mark against the Rule. If it is already green, nothing to be done. Shows Enabled State of the Rule (green tick mark against the Rule)
Shows Disabled state of the Rule (No green tick mark against the rule)
Open ADSI Edit to Enable Event generation for User Additions/Deletions, Group Additions, Deletions, etc. Right-click Users and select [Properties] to edit the properties. Select [Security] Tab, Select Everyone, and Click on [Advanced]
Chose the [Auditing] Tab, Edit Audit settings associated to "Everyone” Enable **ALL** Checkboxes EXCEPT the four as seen below. This will enable AD Object changes to be audited and events will be generated for any User Attribute changes. After completing the above at the command prompt execute “gpupdate/force”. This will update all the policy changes without needing any reboots.
In Cloud Control Center, select Connectors and select +IDP/Connectors in the top right corner of the window.
Click on the Download in the Active Directory Connector card.
Click on the Download for Windows.
Save the file to your local laptop/desktop or the machine where the connector will be run Click on the [Click here to view configuration information] to see the Gateway Server URL and the Credentials that will be needed during Connector installation.
Copy and save both the Gateway Server URL and Gateway Credential in a file for later users. You can click the Copy icon to save the Credential to Clipboard. You will need this while installing the downloaded software on the computer that will run the Elisity AD Connector.
Copy the ElisityADConnectorInstaller.zip file into a TMP directory in the target machine (Windows10orWindows2016/2019Server)thatwillhosttheElisity AD Connector Service. Note that, this machine should be a member of the Root AD Domain. Double click on the zip file after copying into the target machine. You will see a setup.exe file and ElisityADConnectorInsaller.msi file (as seen below).
Click on the Setup.exe file to execute the Elisity AD Connector installer and Click [Next] in the installer window.
You choose a directory to install the Connector or use the provided default. Leave other options as default and click [Next].
The Connector s/w will be copied into the target directory and is ready for installing the Connector as a Windows Service. Click [Next]
The Connector is configured as a Windows Service as LocalService and will need further Configurations (via another tabbed window “Elisity AD Connector Config App”). At this point, you can click on [Close] to dispose of the installer window.
In the “Elisity AD Connector Config App” window, please enter the [Gateway Server Address] and [Gateway Credential] that was saved earlier, click Register Software, and click OK.
Click on [Eada Service] tab to configure Service user id and Service Password. The user should be a member of the Event-Log-Readers group. The user-id should be entered in the DOMAIN\userID format. Click on [Save Service Config] after providing the service configuration. At this point the Config App will configure the Connector Service to run as the user you have provided. Service is not started yet. The status of the service will be in a “Stopped” state.
Enable full access to the service-user for the installed directory (default C:\Program Files\Elisity Inc ).
Provide the list of DC hostnames (FQDN e.g. dc1.company.com)as comma seperated value in the property file EuaConfGlobal.json. Example: "DCHostsEV": "ad1.acme.com,ad2.acme.com,ad3.acme.com"
Provide the IP address of a DC that we can make LDAP queries to do a full sync. This DC should be a performant server to pull all the data. This also goes into the ElisityConfGloba.json. Example:"DCHostGC": "10.0.0.121".
DC Firewall configuration (for every DC we intend to collect the audit log events) - The DCs should enable the rule "Remote Event Log Management (RPC)" or Create a new Rule that opens TCP Local ports (Dynamic Ports) "49152–65535" for the IP address of the device running the Elisity AD Connector (Agent).
NOTE: *** Full-Sync of AD Database with Elisity CCC needs to be triggered only once. If you have multiple Elisity Connectors, it is sufficient to do this on only one Connector instance.
To initiate the first full-sync of AD databse with Elisity CCC, you can click on [Resync]ifyouwanttosyncalltheADUserstoElisity ControlPlane. You can also trigger the Sync from Elisity Cloud Control Centeraswell.It will take a few minutes to pull all the users. After the Sync is complete, the Connector Windows Service will be started automatically.
The Status will show as “running”, if the workflow completed successfully.
You can see the status of the Connector in the Elisity Cloud Control Center UI.