Deploying the Active Directory Adapter

Prerequisites: Sign in with an account that can create users and modify group membership in the domain (Domain Admin or delegated equivalent).

1. Open Active Directory Users and Computers (dsa.msc).
2. Create (or choose) an OU for service accounts (e.g., OU=Service Accounts).
3. Right-click → New → User.
   1. Enter User logon name (UPN): e.g.axonius-svc @<your-domain>.
   2. Enter User logon name (pre-Windows 2000): e.g.axonius-svc.
   3. Set a strong password.
   4. Uncheck “User must change password at next logon.”
   5. Check “Password never expires.”
4. Finish creating the user.
5. Create or edit a GPO to deny interactive logon. Go to Computer Configuration → Windows Settings → Security Settings → Local Policies → User Rights Assignment.
6. Add the service account to Deny log on locally.
7. Add the service account to Deny log on through Remote Desktop Services.
8. Link the GPO to the appropriate scope (e.g., Domain Controllers OU or Workstations/Servers OUs).
9. Add the service account to the Builtin → Account Operators group.
10. Add the service account to the Remote Management Users local group on each target computer (preferably via GPO Preferences).

Prerequisites: Service Account with appropriate permissions (follow the Service Account steps if needed).

1. Confirm a Key Distribution Center (KDC) is available. Every AD domain controller functions as a KDC by default.
2. Ensure the realm name (your AD domain in uppercase, e.g. CONTOSO.LOCAL) is known and matches the value you enter in Axonius.
3. Verify DNS resolution for the DCs/KDCs. Active Directory automatically creates the required A and SRV records; just confirm that Axonius or the Axonius Gateway can resolve them.
4. Confirm that port 88 (Kerberos) is reachable from Axonius or the Axonius Gateway to the domain controllers.

• Fallback DC Address, Fallback Port - Enter a secondary DC address and port as a secondary server to be connected if the first one fails.
• DNS Server Address - Axonius assumes that Domain Controller listed in each connection is also a DNS server. If your Domain Controller does not have the DNS role installed and you would like to use a different system for name resolution of discovered assets you can enter an alternate IP address here (even if it is installed, but you enter a field here, Axonius will use it). Please note that this setting is only used for discovered assets and will not affect resolution of the Domain Controller name entered in the connection configuration. This configuration value is used in conjunction with the Enable IP Resolving advanced setting.
• Alternative DNS Suffix - Replace the device original DNS suffix for DNS resolving. For example, if the device name is windows8.acme.corp , and the Alternative DNS Suffix defined is 'acme-corp.lan', DNS resolving will be done for windows8.acme-corp.lan.
• SSL cipher - Enter an SSL cipher to use for the TLS object of the connection. Using a stronger cipher can solve connection failures when using the default cipher. Examples of OpenSSl ciphers
• Do Not Fetch Users - Select this option if you do not want to fetch users
• Fetch Disabled Devices and Fetch Disabled Users - Select to fetch disabled devices or users. By default, Axonius fetches only enabled devices and users.
• Filter Deleted Devices - By default Axonius fetches deleted devices. Select this option to not fetch deleted devices.
• Filter Deleted Users - By default Axonius fetches deleted users. Select this option to not fetch deleted users.
• Connect to Global Catalog (GC) - Select this option if the configured DC has a Global Catalog role.
• Organizational units include list - To ensure Axonius fetches entities only from specific organizational units (OUs), input the desired OUs using their distinguished names (DNs). Each entry in the list should correspond to a separate OU. For example, if you want to include the organizational units for Acme Corporation in both the Ireland and New York Offices, specify them as follows:
  • Ireland Office/Acme/Corp,New York Office/Acme/Corp
• Organizational units to exclude - To prevent Axonius from fetching entities belonging to specific organizational units (OUs), list the OUs using their distinguished names (DNs). Each entry in the list should correspond to a separate OU. For instance, if you want to exclude the organizational units for Acme Corporation in both the Ireland and New York Offices, specify them as follows:
  • Ireland Office/Acme/Corp,New York Office/Acme/Corp
• Search Base - Search Base: This field specifies a path for conducting searches within a defined scope. By default, searches are conducted across the entire domain. However, configuring this option can be beneficial when dealing with multiple Active Directory (AD) subdomains, as it allows you to limit the search to resources within a specific subdomain.