Active Directory Sync Tool
With our new Sync Tool you can integrate DNSFilter with your Active Directory, click the link above to learn more about our new features.
DNSFilter can be deployed easily and quickly in your Active Directory environment. However, there are some limitations. Most customers choose to implement a combination of Roaming Clients and DNS forwarding from the Domain Controller to have comprehensive filtering. This article outlines capabilities, limitations, and best practices for using our service in an AD environment.
|✔️ GPO distribution of Roaming Clients||🚫 Limited to Windows OS only|
|✔️ Per-machine filtering|
|✔️ AD Forwarding configuration|
|✔️ Per-user logging|
|✔️ Per-user filtering|
|✔️ OU integration|
Installation Best Practices
Setting up DNSFilter on the Domain Controller
The starting point for using DNSFilter on your Active Directory network is to configure it as an upstream DNS resolver on your Domain Controllers. This will ensure a blanket level of filtering for your entire network. This can be done easily by setting our IPs into Server Manager. A full text and video walkthrough is located here.
Distributing the Roaming Client
Per-device filtering and reporting can be achieved easily by deploying the Windows Roaming Client. The Roaming Client is distributed as an MSI file. Installation can be through a script, or using a Group Policy Object (GPO). By default, Roaming Clients inherit the <> of the network to which they are assigned. You can easily change this to another policy for each machine or for a group. They will then have that policy whether on or off your corporate network.
Tip: We recommend taking advantage of the “tags” system when rolling out the Roaming Client. Using
TAGS="tag1,tag2" as a command-line flag, you can set tags at install time which correspond to your user groups in Active Directory, such as “Sales” or “Development”. This will help you to have a similar structure reflected in the dashboard to what you have in Active Directory.
Once the Roaming Clients are deployed, they will be populated in the Roaming Client management panel. From here, you can mass-select Roaming Clients by tags and then apply filtering policies to them. You can get as granular as desired, even customizing individual policies to apply to each client.
Selecting Roaming Clients by tag
Once the Roaming Client is installed on a machine, it will begin logging traffic to the DNSFilter dashboard. By navigating to the Query Log tool, you can filter traffic by Site or by individual machine. Selecting a specific computer will allow you to see a time-stamped log of DNS requests from that specific machine. This is useful for auditing the traffic of your users.