Understanding the concept
There are few cases that we need to integrate our SEPM with active directory which may help us to :
1) You can import your Organizational unit(OU) structure which helps you to get all your predefined groups so that its easy for you to create policies and assign to necessary OU. In a normal scenario we will have all your computers under the OU. So apart from applying Active directory policies you can attach the SEP policies easily to the same group.
2) You can set up AD authentication for SEPM- You can create a new user under SEPM and use the AD password authentication.
Integrating AD with SEPM
1.Open SEPM console and locate the tab 'Clients'.
2.Create a group under clients with a specific name, Clients-> Right click 'My company'-> 'Add a group'.
3.Now select the tab 'Admin'-> 'servers'-> You can see the servers are listed in the left hand side. Select the server name and click on 'Edit the server properties'.
4.On the appearing prompt select the tab 'Directory servers'. Here you need to add your AD server and its details.
Click on 'Add' button and specify your active directory primary server details and click 'OK'. Please make sure that the user that you have specified is having proper privilege to fetch the data from Active directory. If you wish to make the communication as secure you can put a tick mark on 'Use secure connection'. It is mainly require when your AD server and SEPM servers are at different networks. In the Replication Servers tab add the replicating Domain Controllers if any(The redundant DC's will allow automatic fail over in case a primary DC becomes unavailable).
5.You can specify the synchronize details as manual or automatic. If you would like to set it to automatic put a tick mark on 'Synchronize with directory servers' and mention the details as required. If you wish to synchronize manually you can do it after adding the OU under clients tab.
Performing the above steps will help you to add directory server details in SEPM console, once it is added you can import the users from AD and add the organizational unit as a group. You can perform the below actions as required.
Perform the below steps if you would like to import the AD users to SEPM
1.Now click on 'Clients' tab and select the option 'Import active directory or LDAP users'.
2.On the next window it will be listed under 'Directory server'. Select it from the drop down box and it will automatically list the server details.
It uses the port 389/636 to communicate between server based on the none-secure/secure communication that you specify. Hence make sure that the particular port is open in your network. You can confirm the same by performing the telnet to directory server. Open command prompt and type 'telnet <directory server name/IP><space>389/636'. if that gets connected that indicates the port is open and you can continue with the below operations else make sure that you have you open this port wherever it is blocked(Firewall/proxy).
If this is the first time that you are doing the AD integration you can tick or un-tick the option 'Only show users that are not added to any group'. If it was already done you can tick this option so that it will list out all the users that are not even added to SEPM previously. Click on 'List users' to see the users as per your selection. Select the group where you would like to add the users. Here I have selected 'AD' and you can either select the individual users or all the users by the buttons 'Add' or 'Add All'. Please note that upon adding the users to group it will disappear from the 'users list'. Perform as you require and click close.
3.Now expand the group that you have added and make sure that the users are listed as expected.
Perform the below steps if you would like to import the Organizational Unit or container
- Make sure that you have added the directory server details in SEPM as described in the first section.
- As initial step from the Clients tab select the particular clients group that you would like to add the OU and select 'Import organizational unit or containers'
- Since we have already added the directory server in SEPM console if you click on the 'Domain' drop down box you can select the server.
- It will list out all the OU that is present in the Active directory, you can select the required OU and click on 'OK'.
- Based on the objects in the particular OU it will take few second and once it is added you can see the OU and its contents computers in this list.
When we have added the directory server we have set it to synchronize the groups every 24 hours. If you would like to do it manually you can right click and select the option 'Sync Now'.
In case of issues with AD Sync check following logs in 'C:\Program Files\Symantec\Symantec Endpoint Protection Manager\Tomcat\logs\ADSITask-0.log' (for a 64 bit machine the location would be C:\Program Files(x86)\Symantec\Symantec Endpoint Protection Manager\Tomcat\logs\ADSITask-0.log). Search for "Error Code" and next few lines for the reason.