Active Directory

Active Directory setup: SafeDNS Dashboard configuration.

1. Create the domain on the SafeDNS Dashboard.

After receiving the SafeDNS AD Agent from SafeDNS support, you need to add the name of your local domain controller to the dashboard. This is necessary to authorize your AD environment on the SafeDNS dashboard. Before adding, please make sure your subscription plan is one of the business plans and not the Reseller one.

Filtering rules of AD users can be managed under the “Active Directory" tab:

https://ad.safedns.com/users

image-1722110364688.png

Please go to the Domains Tab and create a domain. Please note that the domain name should be the real one used on the AD server. We are using the domain name SafeDNS.local as an example.

Enter the domain name and press the "Create" button:

image-1722110669310.png

After adding the DC to the list, please install the Agent application file.

The agent is a signed MSI file with added user authorization credentials.

The credentials can either be an identification token for installation with AD functionality, or a login and password if you are installing the agent without AD functionality. If you install the agent without the credentials, you will need to log into each agent manually.

The client installs the package via GPO for the required number of users.

The guide below shows the process of the Agent application installation on the Active Directory environment:

https://docs.safedns.com/books/installation-guides/page/safedns-ad-agent-environment-configuration
2. SafeDNS Dashboard configuration (continue)

After the Agent`s installation is complete, the agent starts automatically when the user logs in and transmits information about the user to the Dashboard on the "ActiveDirectory" page, "Users" submenu. Once the User appears on the list, he is not associated with any filtering profile. To allocate the user with the filtering profile please go to the Collections tab.

image-1722110978059.png

3. Allocating users with the filtering Policy.

To start filtering create a Collection in the "Collections" tab:

image-1722111108970.png

1. Enter the name of the Collection;

2. Choose the domain name;

3. Press the "Save Collection" button;

image-1722115683684.png

Once the collection is created, the following window will appear:

image-1722116750272.png

4. Collection Overview

Once the Users are allocated with the Filtering policy, the Collection tab looks the following way:

image-1722116823435.png

image-1722117616284.png

5. Users tab overview

Once the Users are allocated with the Policies, the User tab shows the detailed information:

image-1722117823217.png

SafeDNS and local resources

This guide explains how to set up the SafeDNS service in the Active Directory environment with the SafeDNS Dashboard.

Manual Setup in the Dashboard

One of the main ways to gain access to AD resources without using the safeDNS agent is to use special options available on Office/Enterprise plans.

You must add SafeDNS DNS-servers addresses - 195.46.39.39 and 195.46.39.40 - to the DNS forwarder on your Primary Domain Controller (and secondary, if applicable), so all devices in a filtered network receive SafeDNS IP addresses as the DNS. After this you need to add your external IP address to the dashboard.

Navigate to Dashboard -> Settings -> Devices and add your external IP in the section "IP addresses/DynDNS".

1. SafeDNS and Active Directory.png

Grant access to local resources.

1. Navigate to Dashboard -> Settings -> Advanced -> Active Directory.

2. Enter and add your AD domain in the form.

2. SafeDNS and Active Directory.png

3. Enter and add the name of the PDC (Primary Domain Controller) and its IP address in the local network.

3. SafeDNS and Active Directory.png

4. Add secondary domain controllers, if applicable. You can change the PDC by clicking on the pencil icon on the right.

4. SafeDNS and Active Directory.png

5. Set aliases for all required local resources in the Aliases table below. Enter the name of a local resource and its local IP address.5. SafeDNS and Active Directory.png

6. Wait about 5-7 minutes until all local resources become accessible.

 

Please note that settings take 5-7 minutes to apply.
Stats and filtering status update every 10 minutes.

SafeDNS Agent Intune installation

1. Setting up the Intune environment

Firstly, need to set up the user, and domain in the Intune panel, add the software, configure it, and then log in to the Microsoft/Intune account from the client's computer.

To install the SafeDNS agent, download the .exe installation file from the SafeDNS Dashboard. Then the installation file should be converted into a .intunewin file.

Before starting the installation ensure that the necessary licenses are active.
If there are no licenses, go to Marketplace > All Products > Security and Identity and select needed licences.

1. Open Microsoft 365 Admin Center: https://admin.microsoft.com. Select Billing > Licenses
Make sure that the following licenses are active:

1. Intune
2. Microsoft Entra licenses ID P2

image-1719870095958.png

2. If there are no licenses, go to Marketplace > All Products > Security and Identity, select the licenses listed above, and order them.

image-1719870105745.png

3. The next step is creating/adding users to log in from client computers. New users can be created or invited to existing external users.

image-1719870128052.png

4. Creating the username, nickname, display name, and password:

image-1719870156017.png

5. Review and check the parameters, then finish the process of user creation:

image-1719870225845.png

6. Go to the Intune admin panel: https://intune.microsoft.com
There might be a need to enter a password or use the Microsoft authenticator from the phone
Go to Devices > Windows:

image-1719870242916.png

7. Select Enrollment > Automatic Enrollment:

image-1719870250730.png

8. Activate MDM user Scope > All and Save the settings:

image-1719870265104.png

9. Set the PIN code to unlock the device using the Windows Hello for Business feature:

image-1719870315636.png

10. The settings are on the right-side panel. Once the settings are configured, save the changes.

Now using the credentials created above user can log in to the Azure Active Directory

2. Preparing application for Intune Portal

Prepare the application to be loaded into the Intune Portal. The supported format of the application is the *.intunewin To create the application, use the tool  IntuneWinAppUtil.exe 

For more information on how to prepare the *.intunewin application, follow the guide below:

1. Microsoft Win32 Content Prep Tool link: https://go.microsoft.com/fwlink/?linkid=2065730
The tool creates the *.intunewin application that is ready to upload into Intune. Here is the link on how to do it.

2. The next step is to configure the application:
Go to Apps > Windows

image-1719870336808.png

3. Add the newly created *.intunewin application:

image-1719870509233.png

4. Select from the list of Windows app Win32, and tap Select:

image-1719870523295.png

5. Press the Select app package file button, select the recently created .intunewin file, and tap OK:

image-1719870722594.png

6. Please fill in the fields using the example below:

image-1719870729665.png

7. Install commands that are available in the following guide:
https://docs.safedns.com/books/installation-guides/page/agent-unattended-installation

8. In the next tab select both ОS Operating system architecture 32-bit and 64-bit and Minimum operating system - Windows 10 1607

image-1719870744119.png

9. It is important to configure the Detection rule options:

image-1719870794833.png

10. Review and Save:

image-1719870814038.png

3. Configuring Compliance Policy

1. The policy is used to configure the hardware, and software setup of the computer joining Intune.

2. Create a new policy and name it:

image-1719870840719.png

image-1719870846703.png

image-1719870870280.png

The example below shows only the Minimum OS version: 10.0.17134.1

image-1719870921442.png

There might be additional OS or hardware requirements, that need to be configured accordingly.


3. Once finished, apply the Policy to All Devices:

image-1719870939083.png

4. The example of the Policy created above has the following summary:

image-1719870955247.png

4. Login on the clients' computers

1. Switch on the computer and go to the Settings (the computer should be connected to the internet):

image-1719871032257.png

2. Then Accounts > Access Work or School

image-1719871041517.png

3. The next step is to Add a work or school account > Connect


image-1719871051905.png

4. Add the user credentials of the user created in Intune:

image-1719871061248.png

5. Add the password of the account and configure the PIN code of the Windows Hello feature. The system may ask to configure/use Microsoft Authenticator.

image-1719871076641.png

image-1719871086632.png

image-1719871113613.png

image-1719871119217.png

6. Once the login process is finished, the menu Accounts > Access work or school is looking the following way:

image-1719871138871.png

5. Agent Installation

The installation of the Agent starts immediately after the successful login to the local computer.


image-1719871147070.png

1. The Agent is installed using the silent mode, and filtering is automatically enabled and started working:

image-1719871263868.png

2. The installation finished successfully, to see the installation results, open the Intune admin panel > Apps > Windows and select the initially created app record:

image-1719871278311.png

SafeDNS AD Agent environment configuration

The manual below describes the whole process of the preparation, configuration, and installation of the Agent under the Active Directory environment. The user operating system used is Windows 11 while the server version OS: Windows Server 2019 Standard.

Prerequisites: fresh installed Windows Server 2019 Standard, fresh installed Windows 11

Important Notice:

I: If the Active Directory is already installed and configured, while the Group Policy Management is not configured, please proceed with the installation of the Group Policy Management.

II: If the Active Directory and Group Policy Management are already installed and configured, please proceed to step 3 - Creating Users/Groups.

III: If the Active Directory and Group Policy Management are already installed and configured and Users/Groups exist, please proceed to step 4 - MSI File Preparation on the Server

Installing Agent in the AD environment without AD functionality

If you need to set up the Agent in the AD environment without using the AD functionality (e.g. adding AD users to SafeDNS Dashboard), you need the special build of the .msi file.

To get the special .msi build, please follow these steps:

  1. Send the request for the .msi file to the Support (support@safedns.com) or your SafeDNS Manager.
    The request should contain username, password and PIN code.
    PIN code is required to enter the Agent GUI. If PIN is not provided, it will be generated randomly.
  2. Wait until the .msi file is created and sent to you.
  3. Upload the .msi file to the server and hosted in the folder that is available on the network to the end-user computer - we recommend setting the access level to Everyone.
  4. Add the .msi file to the following path using the Group Policy Management console:
    Computer Configuration > Policies > Software Settings > Software Installation

The .msi file installation will start after the end-user computer restart.
The installation can be forced by running the following command on the end-user computer: gpupdate /force

This process for the NOAD agent installation follows exactly the same steps as described below. The only difference is that the NOAD agent uses credentials instead of an AD key and has the AD module disabled using the /noad key.

1. Server installation Part. Installation of the Roles and Features.

Start the Server Manager and initiate the installation of the Roles:

image-1719873513183.png

image-1719873557001.png

Selecting Role-based or feature-based installation:

image-1719873584888.png

Selecting the local server from the Server Pool:

image-1719873617241.png

Selecting the Active Directory Domain Services role and in the small window taping the Add Features button:

image-1719873688795.png

The next step is to select the Role of the DNS Server, accepting the proposed Features list:

image-1719873785690.png

Accept the selected before Roles and tap the Next button:

image-1719873996913.png

Select the Group Policy Management feature:

image-1719874023816.png

Brief information about Azure Active Directory Domain Services(promo):

image-1719874060407.png

Brief information about installing DNS server:

image-1719874123270.png

The summary with the list of installing Roles and Features:

image-1719874166388.png

The installtion process begins:

image-1719874227531.png

Once installed, the wizard shows the results of the installation:

image-1719875358686.png

We are set with the installation of the Roles & Features. Please close the window.

2. Active Directory Configuration process.

Start the Server Management and promote the server as a domain controller:

image-1719875481886.png

Creating a new forest and name it accordingly:

image-1719875665812.png

Leaving the options by default. Please set the DSRM password:

image-1719875707416.png

Configure the delegation options (if there is a need for that):

image-1719876092400.png

Configure the NETBIOS name:

image-1719876146683.png

Configuring the system folders:

image-1719876165886.png

The preview of the installing options:

image-1719876207394.png

Prerequisites check and install:

image-1719876234499.png

3. Creating User/Groups on the AD.

The new group and user should be created for the Agent Software delivery to the end-user computers. The application installation starts immediately after first user logon to the computer.

3.1. Creating a new user.

Open the Active Directory Users and Computers, select the recently created domain, then Users => New => User:

image-1719876407599.png

Setting the username:

image-1719876466036.png

Password:

image-1719876540954.png

Reviewing the object(User) summary and finishing the process:

image-1719876563571.png

3.2. Creating of the User Group.

Users can be part of one group within the AD environment. The application can be applied to a group of users optimizing the configuration and management of the Application Rollout.

Active Directory Users and Computers, Selecting our domain, and then tap on the Users => New => Group:

image-1719876621028.png

Entering the data of the Group and tap OK:

image-1719876851444.png

Please check that User and group has been created:

image-1719876932012.png

3.3. User added to the group.

Select the group and in the context menu tap the Properties:

image-1719876972656.png

On the appeared window select Members and tap the Add button. Enter the username in the search field and press OK:

image-1719877100730.png

Select the user safedns_win11_test and tap OK button:

image-1719877211354.png

Check the result and press OK button:

image-1719877253089.png

The user creation part is over, now we need to configure GPO.

4. MSI file Preparation on the server.

The MSI Agent package should be prepared and copied to the folder on the Active Directory Server.

The MSI Agent package is prepared by SafeDNS. Our technical team generates and inserts your personal identification token into the package.

The folder with the Agent package should be avalable from the client's computer.

image-1719877376881.png

The folder permissions should be the following. User Everyone should have access to the read&execute:

image-1719930007444.png

The preparation of the file process is over.

5. Group Policy Configuration.

Open the Group Policy Management console

Select the current domain, then Group Policy Objects and open the context menu => New

image-1719930175238.png

Please name the Group Policy accordingly:

image-1719930314761.png

Once the policy is created, please set the User/Group applied the GPO installation:

image-1719930359537.png

In the appeared window select the Group safedns_agent - with the user safedns_win11_test:

image-1719930504658.png

Once the GPO is created, tap the context menu of the object and click on Edit button:

image-1719930644053.png

Important notice: There are 2 possible ways of the MSI package installation:

  1. Installation Policy applied to the computer - Computer Configuration
  2. Installation Policy applied to the user - User configuration


image-1719930802132.png

The second option - User Configuration requires user actions on the computer to start the package installation and will require Administrator credentials.

In the Group Policy Management Editor select Computer Configuration then Policies => Software Settings => Software Installation.

Tap the context menu button and select New=>Package:

image-1719931149148.png

Select the SafeDNS Agent installation package. The path should be the following: \\server\share\SafeDNS_AD_Agent_3.0.5.msi

image-1719931222454.png

Select the Assigned deploy method:

image-1719931383646.png

Once the Application package is added, the new record should appear in the list:

image-1719931442193.png

The installation is finished, the Agent should be installed after the next login to the computer.

Depending on the MSI package settings, after the installation the following objects should appear:

  1. SafeDNS Agen icon on the Desktop
  2. SafeDNS Agent service
  3. SafeDNS icon on the system tray

image-1719931503726.png

If there is a need to start the MSI package installation before restarting/new login please start the CMD command line and run the following command:

gpupdate /force

This command will initiate the installation process:

image-1719931829481.png

Once the computer restarted, the applicaation will appear on the Desktop, the service created and the icon appeared in the system tray:

image-1719931964437.png