In my previous article, we set up redundant OpenDNS Umbrella virtual appliances to forward DNS data from our internal network to OpenDNS. We concluded with reports that correctly display IP addresses from our internal network. Now we want to go further and record Active Directory information such as computer login and group information.

To do this, we’ll need to create an OpenDNS service user account on our domain, set up our domain controllers with the OpenDNS Connector service, and run a configuration script against all of our domain controllers. The connector will watch our domain controllers that the configuration script has modified and will relay the information to our OpenDNS Umbrella account.

Download required files ^

To get started, first download the Sites and Active Directory components from OpenDNS Umbrella > Configuration > System Settings > Sites & Active Directory > Download Components:

Download AD components

Download AD components

Download the files for the Windows Configuration and the Windows Service.

AD service and configuration script download

AD service and configuration script download

When finished downloading, you’ll have three files: OpenDNS-WindowsConfigurationScript-20130627.wsf, Config.dat, and Setup.msi. The Config.dat file will contain your OpenDNS account identity information.

AD Connector files

AD Connector files

Create optional new domain controller ^

You have the option to keep the connector service separate from your domain controllers by using a member server. The minimum specs are similar to those for the OpenDNS Virtual Appliances and are as follows:

  • Static IP address
  • 4 CPU cores and 1.5GB RAM
  • 7GB of disk space
  • The following open outbound ports: 53 TCP & UDP, 443 TCP & UDP, 80 TCP, 2222 TCP, 123 UDP, and 53 UDP
  • White-list the processes OpenDNSAuditClient.exe and OpenDNSAuditService.exe if local anti-virus software is installed

Install AD Domain Services Snap-Ins and the Command-Line Tools feature via Remote Server Administration Tools > Role Administration Tools > AD DS & AD LDS Tools > AD DS Tools. Again, you can either run the onnector service from a new stand-alone member server with AD Tools, or run it from an existing DC. I chose to do the latter and ran the service on my PDC.

If you create a new member server, be sure to open WMI ports in the firewall with the following command run as Administrator:

netsh advfirewall firewall set rule group="Windows Management Instrumentation (WMI)" new enable=yes

Create an OpenDNS service user ^

In addition to the connector and scripts, we need to create a new service user on our domain so our services run uninterrupted. Create a new domain user account and set the logon name to OpenDNS_Connector. Provide a strong password and then check the Password Never Expires checkbox. Add the new user to the following groups:

  • Event Log Readers
  • Distributed COM users
  • Enterprise Read-only domain controllers (RDOC)

Set up domain controllers with cscript ^

Next we want to run the .wsf script against all of our domain controllers. Open and run an elevated command prompt as Administrator.

According to the instructions here (OpenDNS Umbrella account required), from the command prompt, enter c:\>cscript <filename> where <filename> is the name of the configuration script you downloaded. The script will display your current configuration, then offer to auto-configure the domain controller for operation y/n. Type y to continue. If the auto-configure steps are successful, the script will register the domain controller with the Umbrella Dashboard.

Cscript on domain controller

Cscript on domain controller

Again, be sure to run the .wsf visual basic script on all of your domain controllers in each of your sites. In this instance, I only was required to run the .wsf script against one domain controller.

Install the connector ^

If you have a domain controller that is a Core 2012 R2 server, simply copy the files to the c:\ drive, then run the Setup.msi file from the default command prompt with the command: c:\>.\Setup.msi.

OpenDNS Connector setup

OpenDNS Connector setup

When prompted, provide the password for the OpenDNS Connector service account that we created earlier.

OpenDNS service account credentials

OpenDNS service account credentials

After we’ve verified authentication, we can jump onto our OpenDNS dashboard and confirm that our AD Connector is listed, which we can see in the following screenshot.

AD Connector established

AD Connector established

Testing AD integration ^

Once our AD Connector and AD Servers are reporting to our OpenDNS Umbrella account, we can now see our AD User and Group information listed in the reports under the Identity column.

Subscribe to 4sysops newsletter!

Activity displays identity information

Activity displays identity information

Conclusion ^

With just a little extra work, we can extend the amount of information available to us on our OpenDNS Umbrella Reporting console to include Active Directory information. If your organization has multiple sites, you can set up Connectors to monitor each location concurrently at no additional cost. It’s nice that OpenDNS Umbrella provides the support and tools necessary to secure and categorize DNS, provide accurate reporting, and manage DNS traffic from a single web-based console.

0
3 Comments
  1. rob 4 years ago

    I'm working on this setup now,
    "Set up domain controllers with cscript ^
    Next we want to run the .wsf script against all of our domain controllers. Open and run an elevated command prompt as Administrator."

    - the script fails on my dc even though I'm running from an elevated cmd prompt, this is the output from the script when I attempt to run it:

    Testing configuration...
    This is a Windows Server 2008R2 forest.
    Testing configuration completed
    Checking if flag file exists...
    Adding WMI permissions..
    C:\temp\OpenDNS_ADC_Config.wsf(919, 3) SWbemObjectEx: Access denied

    - Do I need domain admin level privileges to run this script?

    0

  2. Author

    My initial reaction would be to say, yes try domain admin permissions, but it also appears to want to access an object from c:\temp\... Does your system have a C:\temp directory? Check permissions on the directory itself. Also, check if you have the most current files for the installation and lastly contact OpenDNS support.

    +1

  3. rob 4 years ago

    Thanks for the reply back, it's failing on the section of the script that is attempting to add the required WMI permissions:

    Lines 913 - 919 which is exactly what is mentioned in the error msg above, I agree with you, you can't make changes like this on a domain controller without a service account that has domain admin privileges:

    Function AddWMIPermissions()

    set namespace = createobject("wbemscripting.swbemlocator").connectser
    ver(,"root\c
    imv2")

    set security = namespace.get("__systemsecurity=@")

    nStatus = security.setsd(strSD)

     - we tried to run it without a domain admin account, it's a DC, you need local admin permissions to run this script and make these changes, there is no way around it, thanks for the reply back!

     

    0

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account