AD Connections
    • Dark
    • PDF

    AD Connections

    • Dark
    • PDF

    Article summary

    Removed AD Dependency
    From version 9.0, you can deploy ControlUp Monitors on machines that are not joined to a local Active Directory (AD) domain. For details, see Removed AD Dependency for Monitors.

    The AD Connections tab allows you to add managed domains and configure the credentials to be used to connect to these domains. If you are running the ControlUp Real-Time Console as a domain user, this list may be empty, as shown below:


    This means that your current domain credentials are used whenever needed.


    Domain connections are required because:

    • The default method of adding machines is by browsing the Active Directory and domain membership is a prerequisite for managed machines.
    • ControlUp uses your Active Directory login information to determine the rights and permissions that will be applied to your Real-Time Console. The Security Policy of ControlUp is based exclusively on Active Directory accounting.

    Managing machines from different domains/forests

    ControlUp supports managing machines from different Active Directory domains and forests. Even machines that belong to multiple untrusted Active Directory domains and forests can be managed within the same console, provided that you have sufficient credentials to manage machines in those domains and forests. All that is needed is an Active Directory connection, which consists of a domain FQDN and valid credentials.

    The AD connections tab of the Settings window can also be used to enable ControlUp organizations to span multiple Active Directory forests. Every time you log into the Real-Time Console, a list of available organizations is determined based on the Active Directory forest from which your Windows session is currently authenticated. If you create a new ControlUp organization from forest A and then later open the Real-Time Console from a machine logged into forest B, that organization will not be visible on the logon wizard.

    To enable the display of that organization in forest B:

    1. Open the ControlUp Real-Time Console in a Windows session logged into forest A.
    2. Log into your ControlUp organization.
    3. In the AD Connections tab of the Settings window, create an AD connection to forest B while providing valid credentials and click OK.
    4. Edit the newly created AD connection. Click the Trust tab and select the Allow users from <forest B> to log in to organizations created in <forest A> checkbox. Click OK.
    5. Open ControlUp in a Windows session logged into forest B. Your ControlUp organization should be visible on the organization's drop-down list.

    This personal setting isn't global. If you clear the AppData folder it won't be applied anymore.

    DNS resolution is a prerequisite for accessing Active Directory domains within ControlUp. If an untrusted domain is located in your local network (for example for testing purposes) but is not accessible using its FQDN, ControlUp will be unable to verify your credentials and add machines from that domain. In such a case, it is recommended to configure a DNS forwarder to allow access to the DNS namespace of the untrusted domain from your existing AD infrastructure.

    Was this article helpful?