Skip to main content

Set up Active Directory sync

Synchronize your Active Directory Users and Groups to enable content filter policy assignment to AD-managed people groups (rather than network devices via IP address).

1. Configure your AD server for synchronization

  • Create a User that has access to the user and groups database (should Not be a domain admin for security reasons)
  • Ensure your AD server allows LDAPS on 636 or plaintext access on port 389

2. Configure the DrawBridge for AD Sync

  • Navigate to Accounts / Authentication Integration (under Apps in menu tree) / Active Directory

  • Fill out the form to create an Active Directory Server record, as illustrated here: create-ad-server--server.png create-ad-server--connection.png create-ad-server--filters.png create-ad-server--save.png

  • Test the connection with Verify Connection Settings in the hamburger menu.

    A notification will indicate whether the connection test was successful or not. ad-server-test-connection.png

  • Trigger an AD Sync run with Sync Directory Servers in the hamburger menu.

    A notification will indicate the sync run was initiated. This typically completes within a minute, however, your environment may be different. This routine does not provide any further status notifications.

    You can verify the sync is complete by visiting Accounts / People and Accounts / Groups / Directory Groups and confirm that all the Users and Groups from your AD server are now present. ad-server-trigger-manual-sync.png

4. Next Steps

This how-to guide is the prerequisite procedure to setting up filter policies for Directory Groups. For further instructions, see the articles:

  • Configure Proxy User Groups
  • Assign an Access Policy to a Proxy User Group

Troubleshooting Resources

  • Use the Directory Service event log on your Windows Server to diagnose AD-sync authentication issues.

  • Locate unsecure LDAP requests: (Source: Spiceworks Forum)

  • On all of your DC's, look at the Directory Service event log.
  • Search for event 2887.
  • If exists that means you still have clients using non-secure LDAP requests and how many.
  • If you change the diagnosting logging level for LDAP, you can find the IP address of these clients: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics
  • Change the value of 16 LDAP Interface Events from 0 to 2.
  • After the change you should see event 2889 logged whenever one of these requests come in.
Back to top