Does ControlUp support multiple AD forests/networks?
For multi-AD support, where a single console supports multiple (untrusted) AD forests, the following prerequisites apply:
- The computer running the console should have LDAP access to the relevant AD forests’ Domain Controllers.
- DNS conditional forwarding should be configured so the computer running the console is able to resolve any relevant AD DNS entry in the external forest.
- The console should have valid AD credentials in the external forest.
In order to support multiple external networks, the following prerequisites apply:
- The ControlUp agent needs to be pre-installed on relevant target computers (the agent MSI package can be used to accomplish this).
- A single incoming TCP port (40705 by default) must be opened on the external network to support console–agent communication.
- For Hypervisor support, incoming HTTPS port (443) has to be opened on the external network in order to support console-Hypervisor communication.
- From a bandwidth point of view, each console-agent channel will consume ~1 KB/s.
The AD Connections tab allows you to add managed domains and configure the credentials to be used to connect to these domains. If you are running ControlUp as a domain user, this list may be empty, which means your current domain credentials are used whenever needed.
AD Connections can be found under Settings -> AD Connections.
ControlUp supports managing computers from different Active Directory domains and forests. Even computers that belong to multiple untrusted Active Directory domains and forests can be managed within the same console, provided that you have sufficient credentials to manage computers in those domains and forests. All that is needed is an Active Directory connection, which consists of a domain FQDN and valid credentials.
The Settings window's AD connections tab can also be used to enable ControlUp organizations to span multiple Active Directory forests. Every time you log into ControlUp, a list of available organizations is determined based on the Active Directory forest by which your Windows session is currently authenticated. If you create a new ControlUp organization from forest A and then later open ControlUp from a computer logged into forest B, that organization will not be visible on the login wizard. To enable the display of that organization in forest B, perform the following steps:
- Open ControlUp in a Windows session logged into forest A
- Log into your ControlUp organization
- Using the AD Connections tab of the Settings window, create an AD connection to forest B while providing valid credentials. Click OK.
- Edit the newly created AD connection. Select the Trust tab and enable the checkbox next to “Allow users from “<forest B>” to log in to organizations created in “<forest A>”. Click OK.
- Now open ControlUp in a Windows session logged into forest B. Your ControlUp organization should be visible on the organization's drop-down list.
- Keep in mind that the license is only assigned to a specific forest, so if the license is linked to forest A and you're logged into your ControlUp organization from forest B, you will be able to manage your environment according to the license linked to forest B.