[KB6900] Synchronize ESET Security Management Center with Active Directory (7.3 – 9.x)

Issue

ESET business product in Limited Support status

This article applies to an ESET product version that is currently in Limited Support status and is scheduled to reach End of Life status soon.

For a complete list of supported products and support level definitions, review the ESET End of Life Policy for business products.

Upgrade ESET business products.

  • A synchronization task is required to sync the ESET Security Management Center (ESMC) Virtual Appliance or ESMC for Linux with Active Directory
  • If automatic synchronization fails in ESMC for Windows Server, you can use a task to sync ESMC with your Active Directory
  • Configure communication between your ESMC Virtual Appliance and your existing Active Directory
  • No agent icon next to computer name and inability to push install

Solution

Synchronize Active Directory with DNS records first

For the Active Directory (AD) sync task to run effectively, it is important that all AD objects that will be synced and their corresponding DNS and reverse DNS records are correct on all servers. Any inconsistency in these items can result in incorrect sorting of AD objects or excess AD objects being placed in the Lost and Found group.

  1. Open ESET Security Management Center Web Console (ESMC Web Console) in your web browser and log in.

  2. Click Tasks Server Tasks Static Group Synchronization and then click the New button → Server Task.

Figure 1-1
Click the image to view larger in new window

  1. Type a Name for your new task into the appropriate field and select Static Group Synchronization (selected by default) from the drop-down menu. We recommend that you select the check box next to Run task immediately after finish for the fastest response time.

Figure 1-2
Click the image to view larger in new window

  1. Click Settings and click Select under Static Group Name. Select the static group that will receive new computers and users from Active Directory and then click OK.

    Define the synchronization behavior with Active Directory objects:

  • Object to synchronize – select Computers and Groups or Only Computers.

  • Computer Creation Collision Handling – if the synchronization adds computers that are already members of the Static Group, you can select a conflict resolution method:

    • Skip – synchronized computers will not be added.

    • Move – new computers will be moved to a subgroup.

    • Duplicate – new computer is created with modified name.

  • Computer Extinction Handling – If a computer no longer exists in the Active Directory, you can either Remove this computer or Skip it.

  • Group Extinction Handling – If a group no longer exists in the Active Directory, you can either Remove this group or Skip it.

  • Synchronization Mode – to synchronize with the Active directory, select Active Directory/Open Directory/LDAP.

Figure 1-3
Click the image to view larger in new window

  1. In the Server Connection Settings section, type the following information into the corresponding fields:
    • Server – type the Server name or IP address of your domain controller.

    • Login – type the login credentials for your domain controller in the format username@DOMAIN or username. If you are running the ESMC Server on Windows, use the format DOMAIN\username.
Type the domain in all capital letters

Be sure to type the domain in all capital letters, as this formatting is required in order to properly authenticate queries to an Active Directory server.

    • Password – type the password used to log on to your domain controller.

Figure 1-4
Click the image to view larger in new window

Pre-set the Active Directory settings 

You can also pre-set the Active Directory settings in More → Server Settings → Advanced Settings → Active Directory. ESMC uses your credentials by default in Active Directory synchronization tasks (user synchronization, static group synchronization, domain security group synchronization). When the related fields are left blank in the task configuration, ESMC uses the pre-set credentials.

  • Host – the address of your domain controller.

  • Username type the Username for your domain controller in the following format:
    • DOMAIN\username (ESMC Server running on Windows)
    • username@FULL.DOMAIN.NAME or username (ESMC Server running on Linux).

  • Password passphrase for your username.

  • Root container – type or copy/paste the full indentificator of an AD container (for example: CN=John,CN=Users,DC=Corp). It serves as pre-set Distinguished Name. We recommend that you copy and paste this value from a server task to make sure you have correct value (copy the value from the Distinguished Name field when it is selected).
  1. Select the check box next to Use LDAP instead of Active Directory.

Are you using Active Directory Synchronization and you upgraded to ESMC 7.2 on Windows?

ESMC Server 7.2 on Windows uses the LDAPS protocol by default for all Active Directory connections. If you upgrade an earlier ESMC version to ESMC 7.2 and you were using the Active Directory synchronization, synchronization tasks will fail in ESMC 7.2. Read about the solution in the ESMC Online Help.

  1. The LDAP Parameters settings will be displayed. Click Select under Presets and select Active Directory.

Figure 1-5
Click the image to view larger in new window

Computer Description Attribute field in ESMC 7

The Computer Description Attribute field is available when configuring LDAP. Only attributes of the type Directory String can be used.

Attribute Example
dNSHostName windows10.admin.mydomain
cn WINDOWS10
name WINDOWS10
operatingSystem Windows 10 Enterprise N
operatingSystemVersion 10.0
sAMAccountName WINDOWS10$
servicePrincipalName windows10.admin.mydomain
description Default container for upgraded computer accounts
  1. Click Browse next to Distinguished Name. Your Active Directory tree will be displayed. Select the top entry to sync all groups with ESMC, or select only the specific groups that you want to add. Click OK when you are finished.
AD tree not loading

If the AD tree does not load, deselect the check box next to Use Simple Authentication and try again.

Figure 1-6
Click the image to view larger in new window

  1. Click Finish. Your new task will be displayed in the list of tasks on the right and will run at the time you specified.