Querying multiple sub-domains with the Active Directory Connector Utility
search cancel

Querying multiple sub-domains with the Active Directory Connector Utility

book

Article ID: 186533

calendar_today

Updated On:

Products

Information Centric Analytics Data Loss Prevention Core Package

Issue/Introduction

Can the Active Directory Connector Utility bundled with Information Centric Analytics (ICA) traverse the domain forest on a single domain controller to identify sub-domains and their associated objects?

Environment

Version : 6.x

Component : Active Directory Connector Utility

Component Version : 1.6.x

Cause

As of version 1.6.3.0, the Active Directory Connector Utility cannot traverse the domain forest on a single domain controller to query sub-domains and their associated objects.

Resolution

Follow this procedure to add an authoritative domain controller for each tree (domain):

  1. Open SQL Server Management Studio (SSMS)
  2. Connect to the Database Engine hosting the RiskFabric database
  3. Open a new query editor window by pressing CTRL-N, clicking the New Query button in the SQL Editor toolbar, or selecting File > New > Query with Current Connection from the application menu
  4. Copy the following statement and paste it in the new query editor window:
    INSERT INTO [ActiveDirectoryDW].[dbo].[Server] (ServerName, Domain, UserName)
    VALUES ('<server name or IP address>[:<port>]','<domain name>','<domain\account>');
  5. Edit the statement by providing the name or IP address of the domain controller; its port (optional, if using a non-standard port); the domain name for the objects on the domain controller; and the domain and account name of the account that will execute LDAP queries against the domain controller
  6. Execute the statement by pressing the F5 key, clicking the Execute button in the SQL Editor toolbar, or selecting Query > Execute from the application menu
  7. Copy the following query and paste it in the new query editor window:
    SELECT ServerID, ServerName FROM ActiveDirectoryDW.dbo.Server;
  8. Highlight the query and execute it by pressing the F5 key, clicking the Execute button in the SQL Editor toolbar, or selecting Query > Execute from the application menu
  9. Note the ServerID of the record with a ServerName value matching the value provided in the query on step 4
  10. Copy the following query and paste it in the new query editor window:
    EXEC ActiveDirectoryDW.dbo.spAddServerMetadata <ServerID>;
  11. Edit the statement by providing the ServerID identified by the query on step 7
  12. Highlight the query and execute it by pressing the F5 key, clicking the Execute button in the SQL Editor toolbar, or selecting Query > Execute from the application menu

After creating a record for the server in the database, the password for the account used to query the domain controller needs to be encrypted and stored. To do this, follow this procedure:

  1. On the server hosting the SQL Server service and the Active Directory Connector Utility, open a Command Prompt as an administrator
  2. Navigate to the folder containing the ImportADUsersAndComputers.exe executable. The default path at install is:
    %SystemDrive%\Program Files\Bay Dynamics\Active Directory Connector Utility
  3. Run the following command to encrypt the service account password:
    ImportADUsersAndComputers.exe -setapipassword <ServerID> <Password>
    NOTE: If the account password contains special characters, enclose the password in quotation marks (i.e., ")
  4. Run the following command to test the new server configuration and query the domain controller:
    ImportADUsersAndComputers.exe