ESET Online Help

Search English
Select the category
Select the topic

Synchronization mode - Active Directory/Open Directory/LDAP

To create a new Server Task, click Tasks > New > add_new_defaultServer Task or select the desired task type on the left and click New > add_new_defaultServer Task.

Basic

In the Basic section, type basic information about the task, such as a Name and Description (optional). Click Select tags to assign tags.
In the Task drop-down menu, select the task type you want to create and configure. If you have selected a specific task type before creating a new task, Task is pre-selected based on your previous choice. Task (see the list of all Tasks) defines the settings and the behavior for the task.

You can also select from the following task trigger settings:

Run task immediately after finish - Select this option to have the task run automatically after you click Finish.

Configure trigger - Select this option to enable the Trigger section, where you can configure trigger settings.

To set the trigger later, leave the check boxes deselected.

Settings

Common Settings

Click Select under Static Group Name - by default, the executing user's home group will be used for synchronized computers. Alternatively you can create a New Static Group.

Object to synchronize - Either Computers and Groups, or Only Computers.

Computer creation collision handling - If the synchronization adds computers that are already members of the Static Group, you can select a conflict resolution method:

oSkip (synchronized computers will not be added)

oMove (new computers will be moved to a subgroup)

oDuplicate (new computer is created with modified name)

Computer extinction handling - If a computer no longer exists, you can either Remove this computer or Skip it.

Group extinction handling - If a group no longer exists, you can either Remove this group or Skip it.

 


important

If you set the Group extinction handling to Skip and you delete a group (Organizational Unit) from Active Directory, computers that belonged to the group in ESET PROTECT On-Prem will not be deleted, even when you set their Computer extinction handling to Remove.

Synchronization mode - Active Directory/Open Directory/LDAP

Read our Knowledgebase article on managing computers using Active Directory synchronization in ESET PROTECT On-Prem.

Server connection settings


note

If the ESET PROTECT Server runs on a Windows machine connected to a domain, only the Server field is necessary. You can skip all the other Active Directory configuration steps below. Synchronization among more domains is possible if domains have established trust.

Server - Type the Server name or IP address of your domain controller.

Login - Type the Username for your domain controller in the following format:

oDOMAIN\username (ESET PROTECT Server running on Windows)

ousername@FULL.DOMAIN.NAME or username (ESET PROTECT Server running on Linux).


important

Be sure to type the domain in capital letters, as this formatting is required to properly authenticate queries to an Active Directory server.

Password - Type the password used to log on to your domain controller.


important

ESET PROTECT Server on Windows uses the encrypted LDAPS (LDAP over SSL) protocol by default for all Active Directory (AD) connections. You can also configure LDAPS on ESET PROTECT Virtual Appliance.

For a successful AD connection over LDAPS, configure the following:

1.The domain controller must have installed a machine certificate. To issue a certificate for your domain controller, follow the steps below:

a)Open the Server Manager, click Manage > Add Roles and Features and install the Active Directory Certificate Services > Certification Authority. A new Certification Authority will be created in Trusted Root Certification Authorities.

b)Click the notification (yellow triangle) in the Server Manager and Configure Active Directory Certificate Services on the destination server. In the Role Services, select Certification Authority. Finish the configuration by clicking Next.

c)Navigate to Start > type certlm.msc and press Enter to run the Certificates Microsoft Management Console snap-in > Certificates - Local Computer > Personal > right-click the empty pane > All Tasks > Request New Certificate > Enroll Domain Controller role.

d)Verify that the issued certificate contains the domain controller's FQDN.

e)On your ESET PROTECT server, import the CA you generated to the certificate store (using certlm.msc tool) > Local Machine > the Trusted Root Certification Authorities folder.

f)Restart the ESET PROTECT server computer.

2.When providing connection settings to the AD server, type the FQDN of the domain controller (as provided in the domain controller certificate) in the Server or Host field. IP address is no longer sufficient for LDAPS.

To enable fallback to LDAP protocol, select the check box Use LDAP instead of Active Directory and type the specific attributes to match your server. Alternatively, you can select Presets by clicking Select and the attributes will be populated automatically:

Active Directory

macOS Server Open Directory (Computer Host Names)

macOS Server Open Directory (Computer IP Addresses)

OpenLDAP with Samba computer records - For setting up the parameters DNS name in Active Directory.

When you select Use LDAP instead of Active Directory and the Active Directory preset, you can populate computer details with attributes from your Active Directory structure. Only attributes of the type DirectoryString can be used. You can use a tool (for example, ADExplorer) to inspect the attributes on your Domain Controller. See the corresponding fields in the table below:

Computer details fields

Synchronization task fields

Name

Computer Hostname Attribute

Description

Computer Description Attribute

Synchronization Settings

Distinguished Name - Path (Distinguished Name) to the node in the Active Directory tree. Leaving this option empty will synchronize the entire AD tree. Click Browse next to Distinguished Name. Your Active Directory tree will be displayed. Select the top entry to synchronize all groups with ESET PROTECT On-Prem, or select only the specific groups that you want to add. Only computers and Organizational Units are synchronized. Click OK when you are finished.


note

Determine the Distinguished Name

1.Open the Active Directory Users and Computers application.

2.Click View and select Advanced Features.

3.Right-click the domain > click Properties > select the Attribute Editor tab.

4.Locate the distinguishedName line. It should look like this example: DC=ncop,DC=local.

Excluded distinguished name(s) - You can choose to exclude (ignore) specific nodes in the Active Directory tree.

Ignore disabled computers (only in Active Directory) - You can choose to ignore computers disabled in Active Directory (the task will skip these computers).


important

If you get the error: Server not found in Kerberos database after clicking Browse, use the server's AD FQDN instead of the IP address.

arrow_down_business        Synchronization from Linux server

Trigger

The Trigger section contains information about the trigger(s) which would run a task. Each Server Task can have up to one trigger. Each trigger can run only one Server Task. If Configure trigger is not selected in the Basic section, a trigger is not created. A task can be created without trigger. Such a task can be run afterward manually or a trigger can be added later.

Advanced Settings - Throttling

By setting Throttling, you can set advanced rules for the created trigger. Setting throttling is optional.

Summary

All configured options are displayed here. Review the settings and click Finish.

You can see the progress indicator bar, status icon and details for each created task in Tasks.


note

You can run the Agent Deployment server task, deploying the ESET Management Agent to the computers synchronized from the Active Directory.