Synchronization mode - Active Directory/Open Directory/LDAP
To create a new Server Task, click Tasks > New > Server Task or select the desired task type from the tree and click New > Server Task.
Basic
In the Basic section, type basic information about the task, such as a Name and Description (optional). Click Select tags to assign tags.
In the Task drop-down menu, select the task type you want to create and configure. If you have selected a specific task type before creating a new task, Task is pre-selected based on your previous choice. Task (see the list of all Tasks) defines the settings and the behavior for the task.
You can also select from the following task trigger settings:
•Run task immediately after finish - Select this option to have the task run automatically after you click Finish.
•Configure trigger - Select this option to enable the Trigger section, where you can configure trigger settings.
To set the trigger later, leave the check boxes deselected.
Settings
Common Settings
Click Select under Static Group Name - by default, the executing user's home group will be used for synchronized computers. Alternatively you can create a New Static Group.
•Object to synchronize - Either Computers and Groups, or Only Computers.
•Computer creation collision handling - If the synchronization adds computers that are already members of the Static Group, you can select a conflict resolution method:
oSkip (synchronized computers will not be added)
oMove (new computers will be moved to a subgroup)
oDuplicate (new computer is created with modified name)
•Computer extinction handling - If a computer no longer exists, you can either Remove this computer or Skip it.
•Group extinction handling - If a group no longer exists, you can either Remove this group or Skip it.
If you set the Group extinction handling to Skip and you delete a group (Organizational Unit) from Active Directory, computers that belonged to the group in ESET PROTECT On-Prem will not be deleted, even when you set their Computer extinction handling to Remove. |
•Synchronization mode - Active Directory/Open Directory/LDAP
Read our Knowledgebase article on managing computers using Active Directory synchronization in ESET PROTECT On-Prem.
Server connection settings
If the ESET PROTECT Server runs on a Windows machine connected to a domain, only the Server field is necessary. You can skip all the other Active Directory configuration steps below. Synchronization among more domains is possible if domains have established trust. |
•Server - Type the Server name or IP address of your domain controller.
•Login - Type the Username for your domain controller in the following format:
oDOMAIN\username (ESET PROTECT Server running on Windows)
ousername@FULL.DOMAIN.NAME or username (ESET PROTECT Server running on Linux).
Be sure to type the domain in capital letters, as this formatting is required to properly authenticate queries to an Active Directory server. |
•Password - Type the password used to log on to your domain controller.
ESET PROTECT Server on Windows uses the encrypted LDAPS (LDAP over SSL) protocol by default for all Active Directory (AD) connections. You can also configure LDAPS on ESET PROTECT Virtual Appliance. For a successful AD connection over LDAPS, configure the following: 1.The domain controller must have installed a machine certificate. To issue a certificate for your domain controller, follow the steps below: a)Open the Server Manager, click Manage > Add Roles and Features and install the Active Directory Certificate Services > Certification Authority. A new Certification Authority will be created in Trusted Root Certification Authorities. b)Click the notification (yellow triangle) in the Server Manager and Configure Active Directory Certificate Services on the destination server. In the Role Services, select Certification Authority. Finish the configuration by clicking Next. c)Navigate to Start > type certlm.msc and press Enter to run the Certificates Microsoft Management Console snap-in > Certificates - Local Computer > Personal > right-click the empty pane > All Tasks > Request New Certificate > Enroll Domain Controller role. d)Verify that the issued certificate contains the domain controller's FQDN. e)On your ESET PROTECT server, import the CA you generated to the certificate store (using certlm.msc tool) > Local Machine > the Trusted Root Certification Authorities folder. f)Restart the ESET PROTECT server computer. 2.When providing connection settings to the AD server, type the FQDN of the domain controller (as provided in the domain controller certificate) in the Server or Host field. IP address is no longer sufficient for LDAPS. |
To enable fallback to LDAP protocol, select the check box Use LDAP instead of Active Directory and type the specific attributes to match your server. Alternatively, you can select Presets by clicking Select and the attributes will be populated automatically:
•Active Directory
•macOS Server Open Directory (Computer Host Names)
•macOS Server Open Directory (Computer IP Addresses)
•OpenLDAP with Samba computer records - For setting up the parameters DNS name in Active Directory.
When you select Use LDAP instead of Active Directory and the Active Directory preset, you can populate computer details with attributes from your Active Directory structure. Only attributes of the type DirectoryString can be used. You can use a tool (for example, ADExplorer) to inspect the attributes on your Domain Controller. See the corresponding fields in the table below:
Computer details fields |
Synchronization task fields |
---|---|
Name |
Computer Hostname Attribute |
Description |
Computer Description Attribute |
Synchronization Settings
•Distinguished Name - Path (Distinguished Name) to the node in the Active Directory tree. Leaving this option empty will synchronize the entire AD tree. Click Browse next to Distinguished Name. Your Active Directory tree will be displayed. Select the top entry to synchronize all groups with ESET PROTECT On-Prem, or select only the specific groups that you want to add. Only computers and Organizational Units are synchronized. Click OK when you are finished.
Determine the Distinguished Name 1.Open the Active Directory Users and Computers application. 2.Click View and select Advanced Features. 3.Right-click the domain > click Properties > select the Attribute Editor tab. 4.Locate the distinguishedName line. It should look like this example: DC=ncop,DC=local. |
•Excluded distinguished name(s) - You can choose to exclude (ignore) specific nodes in the Active Directory tree.
•Ignore disabled computers (only in Active Directory) - You can choose to ignore computers disabled in Active Directory (the task will skip these computers).
If you get the error: Server not found in Kerberos database after clicking Browse, use the server's AD FQDN instead of the IP address. |
Synchronization from Linux server
Trigger
The Trigger section contains information about the trigger(s) which would run a task. Each Server Task can have up to one trigger. Each trigger can run only one Server Task. If Configure trigger is not selected in the Basic section, a trigger is not created. A task can be created without trigger. Such a task can be run afterward manually or a trigger can be added later.
Advanced Settings - Throttling
By setting Throttling, you can set advanced rules for the created trigger. Setting throttling is optional.
Summary
All configured options are displayed here. Review the settings and click Finish.
You can see the progress indicator bar, status icon and details for each created task in Tasks.
You can run the Agent Deployment server task, deploying the ESET Management Agent to the computers synchronized from the Active Directory. |