The AD Connections tab allows you to add managed domains and configure the credentials to be used to connect to these domains. If you are running the ControlUp Real-Time Console as a domain user, this list may be empty, as shown below:
This means that your current domain credentials are used whenever needed. If you start the Real-Time Console as a local (non-domain) user, you will be prompted for the FQDN of your Active Directory domain and valid domain credentials, which are mandatory for working with ControlUp.
Domain connections are required for two reasons:
- The default method of adding computers is by browsing the Active Directory and domain membership is a prerequisite for managed computers.
- ControlUp uses your Active Directory login information to determine the rights and permissions that will be applied to your Real-Time Console. The Security Policy of ControlUp is based exclusively on Active Directory accounting.
Managing machines from different domains/forests
ControlUp supports managing computers from different Active Directory domains and forests. Even computers that belong to multiple untrusted Active Directory domains and forests can be managed within the same console, provided that you have sufficient credentials to manage computers in those domains and forests. All that is needed is an Active Directory connection, which consists of a domain FQDN and valid credentials.
The AD connections tab of the Settings window can also be used to enable ControlUp organizations to span multiple Active Directory forests. Every time you log into the Real-Time Console, a list of available organizations is determined based on the Active Directory forest from which your Windows session is currently authenticated. If you create a new ControlUp organization from forest A and then later open the Real-Time Console from a computer logged into forest B, that organization will not be visible on the logon wizard.
To enable the display of that organization in forest B:
- Open the ControlUp Real-Time Console in a Windows session logged into forest A.
- Log into your ControlUp organization.
- Using the AD Connections tab of the Settings window, create an AD connection to forest B while providing valid credentials. Click OK.
- Edit the newly created AD connection. Select the Trust tab and enable the checkbox next to “Allow users from “<forest B>” to log in to organizations created in “<forest A>”. Click OK.
- Now open ControlUp in a Windows session logged into forest B. Your ControlUp organization should be visible on the organization's drop-down list.
DNS resolution is a prerequisite for accessing Active Directory domains within ControlUp. If an untrusted domain is located in your local network (for example for testing purposes) but is not accessible using its FQDN, ControlUp will be unable to verify your credentials and add computers from that domain. In such a case, it is recommended to configure a DNS forwarder to allow access to the DNS namespace of the untrusted domain from your existing AD infrastructure.