CLOUD SOLUTIONS

Microsoft Active Directory

Integrating with Active Directory

The integration allows GravityZone to import the computer inventory from Active Directory on-premises and from Active Directory hosted in Microsoft Azure. This way, you can easily deploy and manage protection on Active Directory endpoints. Integration is performed through a managed endpoint called Active Directory Integrator.

To manage the Active Directory integration, you can do the following:

Set up the Active Directory Integrator

You can define multiple Active Directory integrators for the same domain, and also for each available domain.

Prerequisites

The Active Directory Integrator must meet the following conditions:

  • It runs Windows OS.

  • It is joined in Active Directory.

  • It is protected by Bitdefender Endpoint Security Tools.

  • It is always online. If not, it may affect the synchronization with Active Directory.

Important

It is recommended that endpoints joined in Active Directory to have the policy assigned directly to them. All the endpoints discovered in an Active Directory domain will be moved from their original folder to the Active Directory folder. In this case, if these endpoints have an inherited policy, they will be assigned with the policy set as default.

Setting Up the Active Directory Integrator

You can define multiple Active Directory integrators for the same domain, and also for each available domain.

To set an endpoint as Active Directory Integrator:

  1. Go to the Network page.

  2. Navigate through the network inventory to the group where your endpoint is and select it.

    Note

    If you want to define multiple integrators, you need to select one endpoint at a time.

  3. Click the integrations.png Integrations button at the upper side of the table and choose Set as Active Directory Integrator.

  4. Click Yes to confirm your action.

    You can notice the new ad_syncer.png icon of the endpoint stating that it is an Active Directory Integrator. In a couple of minutes, you will be able to view the Active Directory tree next to Computers and Groups. For large Active Directory networks, the synchronization may take a longer time to complete. The endpoints joined in the same domain as the Active Directory Integrator will move from Computers and Groups to the Active Directory container.

Synchronizing with Active Directory

GravityZone automatically synchronizes with Active Directory every hour.

GravityZone is unable to synchronize with an Active Directory domain if the following situations occur:

  • All Active Directory integrator roles have been removed

  • Lost connection between Active Directory integrators and GravityZone for at least 2 hours.

  • None of the Active Directory integrators from the same domain can communicate with the Domain Controller.

  • A domain-joined account is not logged into the endpoint that acts as AD integrator. Without having a domain user logged in, there are no cached credentials, and the queries to the AD server fail.

In any of these cases, an Active Directory issue will be triggered under the Notifications Area. For more information, refer to Notifications.

Remove the Active Directory Integrator

To remove the role of Active Directory Integrator from an endpoint:

  1. Go to the Network page.

  2. Navigate through the network inventory to the group where the Active Directory Integrator is and select it.

    Note

    If you want to remove multiple integrators, you need to select one endpoint at a time.

  3. Click the integrations.png Integrations button at the upper side of the table and choose Remove Active Directory Integrator.

  4. A confirmation message will appear.

    • If there is not another endpoint with Active Directory Integrator role in the same domain, the confirmation message will also warn that the current domain will not be synchronized anymore with GravityZone.

    • If the endpoint is offline, the Active Directory Integrator role will be removed after it will be turned on.

You can check if any Active Directory integrator was removed from your managed network in the User Activity section, by filtering the user logs using the following criteria:

  • Area: Active Directory

  • Action: Removed AD Integrator

For more information, refer to User Activity Log.

Remove the Active Directory integration

You can choose to remove one or several domains from the Active Directory folder, as follows:

  1. Go to the Network page.

  2. Under the Network tree from the left pane, select the Active Directory folder.

  3. Go to the right pane and select the folder of the domain you want to remove.

  4. Click the integrations.png Integrations button at the upper side of the table and choose Remove Active Directory Integration.

  5. A confirmation message will appear. An option available with this message allows you to choose whether you want to delete the unmanaged endpoints from the Network Inventory or not. Be careful, this option is enabled by default. Click Confirm to proceed.

  6. All the endpoints under the selected domain will be placed under Computer and Groups folder (or their original groups), and the Active Directory integrator role will be removed from the assigned endpoints of this domain.