Active Directory
- Active Directory setup: SafeDNS Dashboard configuration.
- SafeDNS and local resources
- SafeDNS Agent Intune installation
- SafeDNS AD Agent environment configuration
Active Directory setup: SafeDNS Dashboard configuration.
1. Create the domain on the SafeDNS Dashboard.
After downloading the SafeDNS AD Agent, you need to add the name of your local domain controller to the dashboard. This is necessary to authorize your AD environment on the SafeDNS dashboard. Before adding, please make sure your subscription plan is one of the business plans and not the Reseller one.
Filtering rules of AD users can be managed under the “Active Directory" tab:
Please go to the Domains Tab and create a domain. Please note that the domain name should be the real one used on the AD server. We are using the domain name SafeDNS.local as an example.
Enter the domain name and press the "Create" button:
After adding the DC to the list, please install the Agent application file.
The agent is a signed MSI file with added user authorization credentials.
The client installs the package via GPO for the required number of users.
The guide below shows the process of the Agent application installation on the Active Directory environment:
https://docs.safedns.com/books/installation-guides/page/safedns-ad-agent-environment-configuration
2. SafeDNS Dashboard configuration (continue)
After the Agent`s installation is complete, the agent starts automatically when the user logs in and transmits information about the user to the Dashboard on the "ActiveDirectory" page, "Users" submenu. Once the User appears on the list, he is not associated with any filtering profile. To allocate the user with the filtering profile please go to the Collections tab.
3. Allocating users with the filtering Policy.
To start filtering create a Collection in the "Collections" tab:
1. Enter the name of the Collection;
2. Choose the domain name;
3. Press the "Save Collection" button;
Once the collection is created, the following window will appear:
4. Collection Overview
Once the Users are allocated with the Filtering policy, the Collection tab looks the following way:
5. Users tab overview
Once the Users are allocated with the Policies, the User tab shows the detailed information:
SafeDNS and local resources
This guide explains how to set up the SafeDNS service in the Active Directory environment with the SafeDNS Dashboard.
Manual Setup in the Dashboard
One of the main ways to gain access to AD resources without using the safeDNS agent is to use special options available on Office/Enterprise plans.
You must add SafeDNS DNS-servers addresses - 195.46.39.39 and 195.46.39.40 - to the DNS forwarder on your Primary Domain Controller (and secondary, if applicable), so all devices in a filtered network receive SafeDNS IP addresses as the DNS. After this you need to add your external IP address to the dashboard.
Grant access to local resources.
2. Enter and add your AD domain in the form.
3. Enter and add the name of the PDC (Primary Domain Controller) and its IP address in the local network.
4. Add secondary domain controllers, if applicable. You can change the PDC by clicking on the pencil icon on the right.
5. Set aliases for all required local resources in the Aliases table below. Enter the name of a local resource and its local IP address.
6. Wait about 5-7 minutes until all local resources become accessible.
Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.
SafeDNS Agent Intune installation
1. Setting up the Intune environment
Firstly, need to set up the user, and domain in the Intune panel, add the software, configure it, and then log in to the Microsoft/Intune account from the client's computer.
To install the SafeDNS agent, download the .exe installation file from the SafeDNS Dashboard. Then the installation file should be converted into a .intunewin file.
Before starting the installation ensure that the necessary licenses are active.
If there are no licenses, go to Marketplace > All Products > Security and Identity and select needed licences.
1. Open Microsoft 365 Admin Center: https://admin.microsoft.com. Select Billing > Licenses
Make sure that the following licenses are active:
1. Intune
2. Microsoft Entra licenses ID P2
2. If there are no licenses, go to Marketplace > All Products > Security and Identity, select the licenses listed above, and order them.
3. The next step is creating/adding users to log in from client computers. New users can be created or invited to existing external users.
4. Creating the username, nickname, display name, and password:
5. Review and check the parameters, then finish the process of user creation:
6. Go to the Intune admin panel: https://intune.microsoft.com
There might be a need to enter a password or use the Microsoft authenticator from the phone
Go to Devices > Windows:
7. Select Enrollment > Automatic Enrollment:
8. Activate MDM user Scope > All and Save the settings:
9. Set the PIN code to unlock the device using the Windows Hello for Business feature:
10. The settings are on the right-side panel. Once the settings are configured, save the changes.
Now using the credentials created above user can log in to the Azure Active Directory
2. Preparing application for Intune Portal
Prepare the application to be loaded into the Intune Portal. The supported format of the application is the *.intunewin To create the application, use the tool IntuneWinAppUtil.exe
For more information on how to prepare the *.intunewin application, follow the guide below:
1. Microsoft Win32 Content Prep Tool link: https://go.microsoft.com/fwlink/?linkid=2065730
The tool creates the *.intunewin application that is ready to upload into Intune. Here is the link to it: https://learn.microsoft.com/ru-ru/mem/intune/apps/apps-win32-prepare
2. The next step is to configure the application:
Go to Apps > Windows
3. Add the newly created *.intunewin application:
4. Select from the list of Windows app Win32, and tap Select:
5. Press the Select app package file button, select the recently created .intunewin file, and tap OK:
7. Install commands that are available in the following guide:
https://docs.safedns.com/books/installation-guides/page/agent-unattended-installation
8. In the next tab select both ОS Operating system architecture 32-bit and 64-bit and Minimum operating system - Windows 10 1607
9. It is important to configure the Detection rule options:
10. Review and Save:
3. Configuring Compliance Policy
1. The policy is used to configure the hardware, and software setup of the computer joining Intune.
2. Create a new policy and name it:
3. Once finished, apply the Policy to All Devices:
4. The example of the Policy created above has the following summary:
4. Login on the clients' computers
1. Switch on the computer and go to the Settings (the computer should be connected to the internet):
2. Then Accounts > Access Work or School
3. The next step is to Add a work or school account > Connect
4. Add the user credentials of the user created in Intune:
5. Add the password of the account and configure the PIN code of the Windows Hello feature. The system may ask to configure/use Microsoft Authenticator.
6. Once the login process is finished, the menu Accounts > Access work or school is looking the following way:
5. Agent Installation
The installation of the Agent starts immediately after the successful login to the local computer.
1. The Agent is installed using the silent mode, and filtering is automatically enabled and started working:
2. The installation finished successfully, to see the installation results, open the Intune admin panel > Apps > Windows and select the initially created app record:
SafeDNS AD Agent environment configuration
The manual below describes the whole process of the preparation, configuration, and installation of the Agent under the Active Directory environment. The user operating system used is Windows 11 while the server version OS: Windows Server 2019 Standard.
Prerequisites: fresh installed Windows Server 2019 Standard, fresh installed Windows 11
Important Notice:
I: If the Active Directory is already installed and configured, while the Group Policy Management is not configured, please proceed with the installation of the Group Policy Management.
II: If the Active Directory and Group Policy Management are already installed and configured, please proceed to step 3 - Creating Users/Groups.
III: If the Active Directory and Group Policy Management are already installed and configured and Users/Groups exist, please proceed to step 4 - MSI File Preparation on the Server
Installing Agent in the AD environment without AD functionality
If you need to set up the Agent in the AD environment without using the AD functionality (e.g. adding AD users to SafeDNS Dashboard), you need the special build of the .msi file.
To get the special .msi build, please follow these steps:
- Send the request for the .msi file to the Support (support@safedns.com) or your SafeDNS Manager.
The request should contain username, password and PIN code.
PIN code is required to enter the Agent GUI. If PIN is not provided, it will be generated randomly. - Wait until the .msi file is created and sent to you.
- Upload the .msi file to the server and hosted in the folder that is available on the network to the end-user computer - we recommend setting the access level to Everyone.
- Add the .msi file to the following path using the Group Policy Management console:
Computer Configuration > Policies > Software Settings > Software Installation
The .msi file installation will start after the end-user computer restart.
The installation can be forced by running the following command on the end-user computer: gpupdate /force
1. Server installation Part. Installation of the Roles and Features.
Start the Server Manager and initiate the installation of the Roles:
Selecting Role-based or feature-based installation:
Selecting the local server from the Server Pool:
Selecting the Active Directory Domain Services role and in the small window taping the Add Features button:
The next step is to select the Role of the DNS Server, accepting the proposed Features list:
Accept the selected before Roles and tap the Next button:
Select the Group Policy Management feature:
Brief information about Azure Active Directory Domain Services(promo):
Brief information about installing DNS server:
The summary with the list of installing Roles and Features:
The installtion process begins:
Once installed, the wizard shows the results of the installation:
We are set with the installation of the Roles & Features. Please close the window.
2. Active Directory Configuration process.
Start the Server Management and promote the server as a domain controller:
Creating a new forest and name it accordingly:
Leaving the options by default. Please set the DSRM password:
Configure the delegation options (if there is a need for that):
Configure the NETBIOS name:
Configuring the system folders:
The preview of the installing options:
Prerequisites check and install:
3. Creating User/Groups on the AD.
The new group and user should be created for the Agent Software delivery to the end-user computers. The application installation starts immediately after first user logon to the computer.
3.1. Creating a new user.
Open the Active Directory Users and Computers, select the recently created domain, then Users => New => User:
Setting the username:
Password:
Reviewing the object(User) summary and finishing the process:
3.2. Creating of the User Group.
Users can be part of one group within the AD environment. The application can be applied to a group of users optimizing the configuration and management of the Application Rollout.
Active Directory Users and Computers, Selecting our domain, and then tap on the Users => New => Group:
Entering the data of the Group and tap OK:
Please check that User and group has been created:
3.3. User added to the group.
Select the group and in the context menu tap the Properties:
On the appeared window select Members and tap the Add button. Enter the username in the search field and press OK:
Select the user safedns_win11_test and tap OK button:
Check the result and press OK button:
The user creation part is over, now we need to configure GPO.
4. MSI file Preparation on the server.
The MSI Agent package should be prepared and copied to the folder on the Active Directory Server.
The folder with the Agent package should be avalable from the client's computer.
The folder permissions should be the following. User Everyone should have access to the read&execute:
The preparation of the file process is over.
5. Group Policy Configuration.
Open the Group Policy Management console
Select the current domain, then Group Policy Objects and open the context menu => New
Please name the Group Policy accordingly:
Once the policy is created, please set the User/Group applied the GPO installation:
In the appeared window select the Group safedns_agent - with the user safedns_win11_test:
Once the GPO is created, tap the context menu of the object and click on Edit button:
Important notice: There are 2 possible ways of the MSI package installation:
-
Installation Policy applied to the computer - Computer Configuration
-
Installation Policy applied to the user - User configuration
It is recommended to use Computer Configuration - the software installation will start without user interaction and the user can not stop/close installation.
The second option - User Configuration requires user actions on the computer to start the package installation and will require Administrator credentials.
In the Group Policy Management Editor select Computer Configuration then Policies => Software Settings => Software Installation.
Select the SafeDNS Agent installation package. The path should be the following: \\server\share\SafeDNS_AD_Agent_3.0.5.msi
Select the Assigned deploy method:
Once the Application package is added, the new record should appear in the list:
The installation is finished, the Agent should be installed after the next login to the computer.
Depending on the MSI package settings, after the installation the following objects should appear:
- SafeDNS Agen icon on the Desktop
- SafeDNS Agent service
- SafeDNS icon on the system tray
If there is a need to start the MSI package installation before restarting/new login please start the CMD command line and run the following command:
gpupdate /force
This command will initiate the installation process:
Once the computer restarted, the applicaation will appear on the Desktop, the service created and the icon appeared in the system tray: