Active DIrectory Syncronization.

Products ITarian Endpoint Manager
1

I am trying to import all users but I see this Active Directory synchronization. This is a huge security breach to allow connection through the internet to our AD Domain Controller. IS there a way to just import users from a CSV? Or deploy an internal console

2

Hello @dsheetz
On the synchronization concern, please do check the following troubleshooting steps:

ITSM LDAP sync troubleshooting

  • Please check the connection type:

    • If a direct connection is used, please make sure that connections from the ITSM IPs (52.59.252.227, 54.93.119.39, 54.93.122.17, 54.93.180.57) on port 389 are allowed through the firewall (if a firewall is used).
    • If the connection is done via Device(s), please make sure that the device can reach the LDAP server by using the following command on a cmd prompt:
      telnet LDAP_SERVER_FQDN_OR_IP 389

  • The LDAP server host can use both the FQDN and the IP of the server. If the sync fails with FQDN, please use the server’s IP address instead.

  • Please make sure that the LDAP login credentials are correct. Depending on the DC settings the LDAP account login may be “user” or “user@domain.tld”

  • ITSM is not able to sync with the LDAP servers over SSL. Please check the following registry key on the Server:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity

  • The key’s value needs to be set to 1 (if it’s 2 it means that it requires SSL which is not supported).

Feel free to check this guide also for importing user groups: Importing User Groups from LDAP

3

There are two ways to configure AD sync, the first is via direct connection. Which if C1 supported LDAPS wouldnt be too much of an issue with the right firewall configurations, however they dont yet.

The second way is to install the ITSM agent (enroll a device) which is on a network that is able to query your local AD.This will scrape the AD info and send it back to C1 over a secure connection. Ive created a security group and add users to this group which i want to be pulled in to AD. This lets me filter out misc accounts or service accounts which have no place in C1.