Active Directory

Active Directory

Active Directory Sync Tool

With our new Sync Tool you can integrate DNSFilter with your Active Directory, click the link above to learn more about our new features.

DNSFilter can be deployed easily and quickly in your Active Directory environment. However, there are some limitations. Most customers choose to implement a combination of Roaming Clients and DNS forwarding from the Domain Controller to have comprehensive filtering. This article outlines capabilities, limitations, and best practices for using our service in an AD environment.

 GPO distribution of Roaming Clients Limited to Windows OS only
 Per-machine filtering
 AD Forwarding configuration
 Per-user logging
 Per-user filtering
 OU integration

Installation Best Practices

Setting up DNSFilter on the Domain Controller

The starting point for using DNSFilter on your Active Directory network is to configure it as an upstream DNS resolver on your Domain Controllers. This will ensure a blanket level of filtering for your entire network. This can be done easily by setting our Anycast IPs into Server Manager. A full text and video walkthrough is located here.

Distributing the Roaming Client

Per-device filtering and reporting can be achieved easily by deploying the Windows Roaming Client. The Roaming Client is distributed as an MSI file. Installation can be through a script, or using a Group Policy Object (GPO). By default, Roaming Clients inherit the Policy of the network to which they are assigned. You can easily change this to another policy for each machine or for a group. They will then have that policy whether on or off your corporate network.

Tip: We recommend taking advantage of the "tags" system when rolling out the Roaming Client. Using TAGS="tag1,tag2" as a command-line flag, you can set tags at install time which correspond to your user groups in Active Directory, such as "Sales" or "Development". This will help you to have a similar structure reflected in the dashboard to what you have in Active Directory.

Applying Policies

Once the Roaming Clients are deployed, they will be populated in the Roaming Client management panel. From here, you can mass-select Roaming Clients by tags and then apply filtering policies to them. You can get as granular as desired, even customizing individual policies to apply to each client.

Selecting Roaming Clients by tag

Auditing Queries

Once the Roaming Client is installed on a machine, it will begin logging traffic to the DNSFilter dashboard. By navigating to the Query Log tool, you can filter traffic by Site or by individual machine. Selecting a specific computer will allow you to see a time-stamped log of DNS requests from that specific machine. This is useful for auditing the traffic of your users.

    • Related Articles

    • UW Active Directory Modifications

      Issue: How does Lenovo Unified Workspace affect Active Directory and specifically the Schema? Solution: Why does UW need to extend the Schema of AD? Please see the following KB article for a full explanation: ...
    • Verify Active Directory SSL

      How can I check if my Microsoft Active Directory Domain controller / LDAP Server has SSL ?   The following URL has a nice write up about the Microsoft Tool called LDP.exe You can download ...
    • List of Active Directory Error Codes

      The error codes for Active Directory can be found at this Microsoft URL.
    • Lingering Objects and Tombstones in Active Directory

      Issue Due to the way Active Directory works when removing objects, administrators can run into directory issues with Unified Workspace when AD doesn't completely do away with the object (leaving a tombstone behind). Finding and Removing Lingering ...
    • How do I backup Microsoft Active Directory ?

      While backing up AD is not a function of Stoneware, here are some urls that have some good information. Simple script to start a backup: ntbackup backup systemstate /J "AD Backup" /F "C:\\ADbackup.bkf" Best Practices for Active Directory Schema ...
    • Popular Articles

    • Old Browser Versions

      Question: I am using an older browser version and am having problems. What can be done ? We are not able to upgrade the browser at this time.   This is a challenge for any company that makes software that utilizes a browser. Since Stoneware does not ...
    • LCS Redirection

      Problem: How to redirect the LCS in an environment with multiple LCSs and students connecting to them. Solution(s): Create an allow.cfg on all LCS(s) (including the Master) in the network, however, even if no allow.cfg is present on an LCS, machines ...
    • Time windows allows for Service Shutdown

      Issue: Can the time windows gives a service to shut down before it kills the service be increased? Solution: Yes, the following information comes from the Microsoft URL : To specify the wait time, do the ...
    • How to disable password saving - Internet Explorer

      Having multiple methods for saving a password in the browser can cause confusion for the user.   To disable password saving in Internet Explorer, launch Internet Explorer and perform the following steps. Click the blue Settings menu icon in the upper ...
    • How to disable password saving - Chrome

      Having multiple methods for saving a password in the browser can cause confusion for the user.  To disable password saving in Chrome, launch Chrome and perform the following steps. Click the Chrome menu button in the upper right corner of the Chrome ...
    • Recent Articles

    • SAML Service Provider

      Issue How can I use a 3rd Party service (such as ADFS, Office365, or OneLogin) to SSO into UW? Solution The SAML Service Provider (SP) features allows another Identity Provider (IDP) to single sign-on into Unified Workspace using SAML for a seamless ...
    • Lenovo Unified Workspace Released

      Highlights of Unified Workspace Before you install: Please view the installation notes here. Requires new 7.0 license file. Below is a list of enhancements and fixes for Unified Workspace New Profile Style New Login ...
    • How to fix customized login and profile after upgrading to v7.0

      With the release of 7.0 the default login page has been modified to simplify the customization process.  If you are having an issue with the login page not displaying, after upgrading to v7.0, you will need to delete the custom CSS code and start ...
    • SAML SP - Sync Directory Password

      Login script to prompt for directory password Since the user does not login into Unified Workspace with a password, we cannot capture the password to use in the @@password@@ variable.  If you would like to use the Active Directory password for other ...
    • MySQL 8 SSL

      Issue Admin is making a database connection to a MySQL 8 database.  When clicking the Ping button on the DB Connection object, the following error is presented: WARN: Establishing SSL connection without server's identity verification is not ...