Active Directory objects can be used to create security groups based on user identity, and identity-based firewall rules.

Note: Do not enable Distributed Intrusion Detection Service (IDS) in an environment that is using Distributed Load Balancer. NSX-T Data Center does not support using IDS with a Distributed Load Balancer.

To enable selective sync, use domain create/update API with selective sync enabled, and a list of selected Organization Units (OUs). When selective sync is enabled, NSX-T only synchronizes the AD data inside the selected OUs. During a selective delta sync, only the Acitve Directory data which is inside the selected OUs and has been created or changed since last sync are updated. If any directory-groups are removed from the selected OUs, they will not be updated during a selective delta sync. They will be updated during a full sync when all directory groups are updated. For more information, see the NSX-T Data Center API Guide.

Note: Use the API to connect an AD domain with more than 500 OUs. The UI does not support showing an AD Domain with more than 500 OUs.

If you use the API to manually end a full sync after it is has begun, the sync stats will not be updated correctly.

Note: IDFW relies on the security and integrity of the guest operating system. There are multiple methods for a malicious local administrator to spoof their identity to bypass firewall rules. User identity information is provided by the Guest Introspection Agent inside guest VMs. Security administrators must ensure that NSX Guest Introspection Agent is installed and running in each guest VM. Logged-in users should not have the privilege to remove or stop the agent.

Procedure

  1. From your browser, log in with admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
  2. Navigate to System > Identity Firewall AD > Active Directory.
  3. Click the three button menu icon next to the Active Directory that you want to synchronize, and select one of the following:
    Menu Item Description
    Sync Delta Perform a delta synchronization, where local AD objects that have changed since the last synchronization are updated.
    Sync All Perform a full synchronization, where the local state of all AD objects is updated.
  4. Click View Sync Status to see the current state of the Active Directory, the previous synchronization state, the synchronization status, and the last synchronization time.