[KB7766] Synchronize ESET PROTECT with Active Directory

Issue

  • A synchronization task is required to sync the ESET PROTECT Virtual Appliance or ESET PROTECT for Linux with Active Directory
  • If automatic synchronization fails in ESET PROTECT for Windows Server, you can use a task to sync ESET PROTECT with your Active Directory
  • Configure communication between your ESET PROTECT Virtual Appliance and your existing Active Directory
  • The No agent icon is next to the computer name and the inability to push install

Solution

Prerequisites

For the Active Directory (AD) sync task to run effectively, it is important that all AD objects that will be synced and their corresponding DNS and reverse DNS records are correct on all servers. Any inconsistency in these items can result in an incorrect sorting of AD objects or excess AD objects being placed in the Lost and Found group.

  1. Open the ESET PROTECT Web Console in your web browser and log in.

  2. Click Tasks Server Tasks Static Group Synchronization and then click New Server Task.
Figure 1-1
  1. Type a Name for your new task into the appropriate field and select Static Group Synchronization (selected by default) from the Task drop-down menu. We recommend that you select the check box next to Run task immediately after finish for the fastest response time.
Figure 1-2
  1. Click Settings and click Select under Static Group Name. Select the static group that will receive new computers and users from AD and then click OK.

    Define the synchronization behavior with AD objects:
  • Object to synchronize–select Computers and Groups or Only Computers.

  • Computer Creation Collision Handling–if the synchronization adds computers that are already members of the Static Group, you can select a conflict resolution method:

    • Skip–synchronized computers will not be added.

    • Move–new computers will be moved to a subgroup.

    • Duplicate–a new computer is created with a modified name.

  • Computer Extinction Handling–If a computer no longer exists in the AD, you can either Remove this computer or Skip it.

  • Group Extinction Handling–If a group no longer exists in the AD, you can either Remove this group or Skip it.

  • Synchronization Mode–to synchronize with the AD, select Active Directory/Open Directory/LDAP.

Figure 1-3
  1. In the Server Connection Settings section, type the following information into the corresponding fields:
    • Server–Type the Server name or IP address of your domain controller.

    • Login–Type the login credentials for your domain controller in the format username@DOMAIN or username. If you are running the ESET PROTECT Server on Windows, use the format DOMAIN\username.
Type the domain in all capital letters

Be sure to type the domain in all capital letters, as this formatting is required in order to properly authenticate queries to an AD server.

    • Password–Type the password used to log in to your domain controller.
Figure 1-4

You can also pre-set the AD settings in More → Server Settings → Advanced Settings → Active Directory. ESET PROTECT uses your credentials by default in AD synchronization tasks (user synchronization, static group synchronization, domain security group synchronization). When the related fields are left blank in the task configuration, ESET PROTECT uses the pre-set credentials.

  • Host–the address of your domain controller.

  • UsernameType the Username for your domain controller in the following format:
    • DOMAIN\username (ESET PROTECT Server running on Windows)
    • username@FULL.DOMAIN.NAME or username (ESET PROTECT Server running on Linux).

  • Passwordpassphrase for your username.

  • Root container–enter the full identification of an AD container (for example: CN=John,CN=Users,DC=Corp). It serves as a pre-set Distinguished Name. We recommend that you copy/paste this value from a server task to make sure you have the correct value (copy the value from the Distinguished Name field, when it is selected).
  1. Select the check box next to Use LDAP instead of Active Directory.

Figure 1-5
  1. The LDAP Parameters settings will be displayed. Under Presets, click Select and then select Active Directory.
Figure 1-6
  1. Select the check box next to Use Simple Authentication.
Figure 1-7
Computer Description Attribute field in ESET PROTECT

The Computer Description Attribute field is available when configuring LDAP. Only attributes of the type Directory String can be used.

Attribute Example
dNSHostName windows10.admin.mydomain
cn WINDOWS10
name WINDOWS10
operatingSystem Windows 10 Enterprise N
operatingSystemVersion 10.0
sAMAccountName WINDOWS10$
servicePrincipalName windows10.admin.mydomain
description Default container for upgraded computer accounts
  1. Click Browse next to Distinguished Name. Your AD tree will be displayed. Select the top entry to sync all groups with ESET PROTECT, or select only the specific groups that you want to add. Click OK when you are finished.
AD tree not loading

If the AD tree does not load, deselect the check box next to Use Simple Authentication and try again.

Figure 1-8
  1. Click Finish. Your new task will be displayed in the list of tasks on the right and will run at the time you specified.