The AD Connections tab allows you to add managed domains and configure the credentials to be used to connect to these domains. If you are running ControlUp as a domain user, this list may be empty. This means that your current domain credentials are used whenever needed. If you start ControlUp as a local (non-domain) user, you will be prompted for the FQDN of your Active Directory domain and valid domain credentials, which are mandatory for working with ControlUp.
Domain connections are required for two principal reasons. First, the default method of adding computers is by browsing the Active Directory and domain membership is a mandatory prerequisite for managed computers. Second, ControlUp uses your Active Directory logon information to determine the rights and permissions that will be applied to your console. The Security Policy of ControlUp is based exclusively on Active Directory accounting.
ControlUp supports managing computers from different Active Directory domains and forests. Even computers that belong to multiple untrusted Active Directory domains and forests can be managed within the same console, provided that you have sufficient credentials to manage computers in those domains and forests. All that is needed is an Active Directory connection, which consists of a domain FQDN and valid credentials.
The AD connections tab of the Settings window can also be used to enable ControlUp organizations to span multiple Active Directory forests. Every time you log into ControlUp, the list of available organizations is determined based on the Active Directory forest by which your Windows session is currently authenticated. If you create a new ControlUp organization from forest A and then later open ControlUp from a computer logged into forest B, that organization will not be visible on the logon wizard. To enable the display of that organization in forest B, perform the following steps:
- Open ControlUp in a Windows session logged into forest A
- Log into your ControlUp organization
- Using the AD Connections tab of the Settings window, create an AD connection to forest B while providing valid credentials. Click OK.
- Edit the newly created AD connection. Select the Trust tab and enable the checkbox next to “Allow users from “<forest B>” to login to organizations created in “<forest A>”. Click OK.
- Now open ControlUp in a Windows session logged into forest B. Your ControlUp organization should be visible on the organizations drop-down list.
DNS name resolution is a mandatory prerequisite for accessing Active Directory domains with ControlUp. If an untrusted domain is located on your local network (e.g. for testing purposes) but is inaccessible using its FQDN, ControlUp will be unable to verify your credentials and add computers from that domain. In such a case, it is recommended to configure a DNS forwarder to allow access to the DNS namespace of the untrusted domain from your existing AD infrastructure.