Global Threat Condition: Elevated
Importing Active Directory Containers
Mapping Active Directory Source Containers
Use this task to import systems from your network’s Active Directory containers directly into your System Tree by mapping Active Directory source containers to the groups of the System Tree.
Unlike previous versions, you can now:
• Synchronize the System Tree structure to the Active Directory structure so that when containers are added or removed in Active Directory, the corresponding group in the System Tree is added or removed also.
• Delete systems from the System Tree when they are deleted from Active Directory.
• Prevent duplicate entries of systems in the System Tree when they already exist in other groups.
Before you begin
You must have appropriate permissions to perform this task.
Best practices
Implementation of this feature depends on whether you are creating the System Tree for the first time or if you upgrading from a previous version with an existing System Tree structure with which you are not using Active Directory integration.
If you have been using a previous version of ePolicy Orchestrator and already have a fully-populated System Tree, you can still take advantages of Active Directory integration by mapping your System Tree groups to Active Directory containers. You can use this feature to create mapping points between Active Directory containers and System Tree groups to import any new systems found in Active Directory to the appropriate location of the System Tree.
Begin Task
For option definitions, click ? on the page displaying the options.
1 In the ePO Menu select System Tree | Group, then select the desired group in the System Tree. This should be the group to which you want to map an Active Directory container.
NOTE: You cannot synchronize the My Organization or Lost & Found groups of the System Tree.
2 Next to Synchronization type click Edit. The Synchronization Settings page for the selected group appears.
3 Next to Synchronization type select Active Directory. The Active Directory synchronization options appear.
4 Select the type of Active Directory synchronization you want to occur between this group
and the desired Active Directory container (and its sub containers):
• Systems and container structure — Select this option if you want this group to truly
reflect the Active Directory structure. When synchronized, the System Tree structure
under this group is modified to reflect that of the Active Directory container it’s mapped
to. When containers are added or removed in Active Directory, they are added or
removed in the System Tree. When systems are added, moved, or removed from Active
Directory, they are added, moved, or removed from the System Tree.
• Systems only — Select this option if you only want the systems from the Active
Directory container (and non-excluded sub containers) to populate this group, and this
group only. No subgroups are created like when mirroring Active Directory.
5 Select whether a duplicate entry for the system will be created for a system that already
exists in another group of the System Tree.
TIP: McAfee does not recommend selecting this option, especially if you are only using the
Active Directory synchronization as a starting point for security management and use other
System Tree management functionality (for example, tag sorting) for further organizational
granularity below the mapping point.
6 In Active Directory domain, type the fully-qualified domain name of your Active Directory
domain.
7 In Active Directory credentials, type the Active Directory user credentials that ePolicy
Orchestrator uses to retrieve the Active Directory information.
8 Next to Container, click Browse and select a source container in the Select Active
Directory Container dialog box, then click OK.
9 To exclude specific sub containers, click Add next to Exclusions and select a sub container to exclude, then click OK.
10 Select whether to deploy agents automatically to new systems. If you do, be sure to
configure the deployment settings.
TIP: McAfee recommends that you do not deploy the agent during the initial import if the
container is large. Deploying the 3.62 MB agent package to many systems at once may
cause network traffic issues. Instead, import the container, then deploy the agent to groups
of systems at a time, rather than all at once. Consider revisiting this page and selecting
this option after the initial agent deployment, so that the agent is installed automatically
on new systems added to Active Directory.
11 Select whether to delete systems from the System Tree when they are deleted from the Active Directory domain.
12 To synchronize the group with Active Directory immediately, click Synchronize Now.
Clicking Synchronize Now saves any changes to the synchronization settings before synchronizing the group. If you have an Active Directory synchronization notification rule enabled, an event is generated for each system added or removed (these events appear in the Notifications Log, and are query-able). If you deployed agents to added systems, the deployment is initiated to each added system. When the synchronization completes, the Last Synchronization time is updated, displaying the time and date when the
synchronization finished, not when any agent deployments completed.
NOTE: Alternatively, you can schedule an NT Domain/Active Directory Synchronization server task for the first synchronization. This is useful if you are deploying agents to new systems on the first synchronization, when bandwidth is a larger concern.
13 When the synchronization completes, view the results with the System Tree.
Once the systems are imported, distribute agents to them if you did not select to do so
automatically. Also, consider setting up a recurring NT Domain/Active Directory Synchronization
server task to keep your System Tree up to date with any new systems or organizational changes
in your Active Directory containers.
