Introduction
This document describes multi-AD domain support in Cisco Umbrella.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on Cisco Umbrella.
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Overview
Support for multiple Active Directory domains in your Umbrella organization is now enabled by default.
If you have already onboarded multiple AD domains in separate Umbrella organizations, these organizations can be consolidated to a single Umbrella organization with multi-AD domain support. Refer to this article for more details.
Prerequisites for Multi-AD Domain Support
- A user account with logon name OpenDNS_Connector needs to be created in each domain and be compliant with requirements specified in the Umbrella documentation. It is recommended that you keep the same password for this account across AD domains.
- For deployment with Virtual appliances, one AD connector is required for each AD domain in an Umbrella site, with an optional second connector for redundancy if required.
- If your deployment includes only Roaming Clients or AnyConnect, a single multi-domain AD Connector* can sync AD users/groups from multiple domains. This requires the OpenDNS_Connector account to be created with the same password in each domain. This feature is not enabled by default, and you need to raise a support ticket to get this enabled.
- The AD Connector must be running version 1.2.3 or higher.
- All other pre-requisites specified in the Umbrella documentation are also applicable for multi-AD domain.
Limitations of Multi-AD Domain Support (Virtual Appliance Deployments)
- Cross-domain authentication is not recognized by the AD Connector currently. If an AD user authenticates against a local domain controller belonging to some other AD domain, the AD Connector cannot be able to retrieve the AD user-IP mapping for that user. The virtual appliance cannot associate a user identity against that IP, and as a result, any AD-based policies cannot be enforced for that user. The workaround is to include Domain Controllers from both AD domains in the same Umbrella site as long as the criteria for Umbrella sites (specified in the Umbrella documentation) are not impacted.
- Umbrella policies do not apply to AD groups with Cross-Domain members. To create a policy that applies to users from multiple domains you must add the relevant groups/users from each domain to the policy.
Limitations of Multi-AD Domain Support (Roaming Client Deployments)
- Roaming Client / AnyConnect deployments are not affected by cross-domain authentication limitations.
- With the multi-domain AD Connector feature enabled, Umbrella can support AD Groups with Cross-Domain group members. This needs to be explicitly requested by raising a support ticket. The same feature also allows a single Connector to sync AD identities from multiple AD domains.
Feedback